Spring Boot 和安全性中的 CORS 支持
Posted
技术标签:
【中文标题】Spring Boot 和安全性中的 CORS 支持【英文标题】:CORS support in spring boot and security 【发布时间】:2020-05-29 21:02:38 【问题描述】:我已将spring security 配置为启用cors。
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private BCryptPasswordEncoder bCryptPasswordEncoder;
@Autowired
private CustomLogoutHandler logoutHandler;
@Autowired
private HttpLogoutSuccessHandler logoutSuccessHandler;
@Override
protected void configure( HttpSecurity http ) throws Exception
http.cors().and().csrf().disable()
.authorizeRequests()
.antMatchers("/rest/noauth/**").permitAll()
.antMatchers("/rest/login").permitAll()
.antMatchers("/rest/logout").permitAll()
.antMatchers("/static/**").permitAll()
.antMatchers("/ws/**").permitAll()
.antMatchers("/rest/razorpay/hook").permitAll()
.antMatchers("/rest/user/cc").permitAll()
.antMatchers("/v2/api-docs/**", "/configuration/ui/**", "/swagger-resources/**",
"/configuration/security/**", "/swagger-ui.html/**", "/webjars/**")
.permitAll()
.anyRequest().authenticated()
.and()
.logout().addLogoutHandler(logoutHandler).logoutSuccessHandler(logoutSuccessHandler)
.logoutUrl("/rest/logout")
.and()
.addFilterBefore(
new JWTAuthenticationFilter("/rest/login", tokenService(), refreshTokenService,
authTokenModelRepository, userService, userActivitiesRepository,
handlerExceptionResolver, bCryptPasswordEncoder, redisTemplate),
UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(new JWTAuthorizationFilter(authenticationManager(), authTokenModelRepository,
userSubscriptionRepository, handlerExceptionResolver, redisTemplate),
UsernamePasswordAuthenticationFilter.class);
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
@Override
public void configure( AuthenticationManagerBuilder auth ) throws Exception
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
我有一个休息控制器,
@RestController
@RequestMapping( RestEndPoints.NO_AUTH_CONTROLLER )
@CrossOrigin(origins = "http://0.0.0.0:3000")
public class OtpController extends AbstractController
@Autowired
private AuthService authService;
@ApiOperation( value = "Generate OTP to login using registered email address", response = UIResponse.class, notes = "Please do validate and send only the organisation email address" )
@ApiResponses( value = @ApiResponse( code = 200, message = "Otp generated for <email_address>" ),
@ApiResponse( code = 400, message = "Email address not registered as CC", response = UIErrorMessage.class ),
@ApiResponse( code = 500, message = "Something went wrong", response = UIErrorMessage.class ) )
@PostMapping( "/otp/email_address:.+" )
public ResponseEntity generateOtpToLogin( @PathVariable( "email_address" ) String emailAddress )
try
return buildResponse(authService.generateOtpForTheEmailAddress(emailAddress));
catch( DataException e )
return buildError(e);
但是,当从前端应用程序向 POST 方法发出 API 请求时,浏览器正在发出 OPTIONS 调用,并且响应标头为 Access-Control-Allowed-Origin:*,即使我将其设置为 0.0.0.0:3000 和浏览器出现错误,
访问 XMLHttpRequest 在 'http://192.168.1.3:8090/rest/noauth/otp/sandesha@test.com' 来自 来源“http://0.0.0.0:3000”已被 CORS 策略阻止: 响应中“Access-Control-Allow-Origin”标头的值必须 当请求的凭据模式为时,不是通配符“*” '包括'。发起请求的凭证模式 XMLHttpRequest 由 withCredentials 属性控制。
如何解决这个问题?
【问题讨论】:
我认为这与您在后端配置通配符“*”“Access-Control-Allow-Origin”标头时如何从前端发出请求有关。后端和前端配置的组合不正确。例如,请查看此链接。 https://***.com/q/19743396/10159797 【参考方案1】:我之前遇到过同样的问题,我想它也需要一些其他参数。
所以我放置以下代码,它对我来说是工作文件。
package com.ecommerce.auth_service.service.jwt;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCORSFilter implements Filter
private final Logger log = LoggerFactory.getLogger(SimpleCORSFilter.class);
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
String check = "xsrf-token,X-Total-Results,Authorization";
response.setHeader("Access-Control-Allow-Origin", request.getHeader("Origin"));
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, PUT, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "Content-Type, Accept, X-Requested-With, remember-me, Authorization");
response.setHeader("Access-Control-Expose-Headers",check);
if ("OPTIONS".equalsIgnoreCase(request.getMethod()))
log.debug("Request get method call status SC_OK.");
response.setStatus(HttpServletResponse.SC_OK);
else
log.debug("Request get method not work chain start.");
chain.doFilter(req, res);
@Override
public void init(FilterConfig filterConfig)
@Override
public void destroy()
【讨论】:
以上是关于Spring Boot 和安全性中的 CORS 支持的主要内容,如果未能解决你的问题,请参考以下文章
Angular 2 + CORS + 带有 Spring Security 的 Spring Boot Rest Controller
没有弹簧安全性的 Spring Boot + React CORS 问题
Spring boot:无法从另一个 Origin 访问安全资源 - CORS - Spring Security - Spring data rest