预检响应中的 Access-Control-Allow-Headers 不允许请求标头字段 x-xsrf-token

Posted 2023-03-04

【中文标题】预检响应中的 Access-Control-Allow-Headers 不允许请求标头字段 x-xsrf-token

【英文标题】：Request header field x-xsrf-token is not allowed by Access-Control-Allow-Headers in preflight response

【发布时间】：2020-10-12 19:34:04

【问题描述】：

SprinBoot keycloak auth swagger 被浏览器阻止并显示消息，

CORS 策略已阻止从源“http://localhost:8081”访问“http://localhost:8080/auth/realms/test/protocol/openid-connect/token”获取：请求标头预检响应中的 Access-Control-Allow-Headers 不允许字段 x-xsrf-token。

This cors configs were added to spring boot app,
      cors: true
      cors-allowed-methods: GET,POST,HEAD,PUT,DELETE,OPTIONS
      cors-allowed-headers: x-xsrf-token

此外，客户端 URL http://localhost:8081 已添加到 keeycloak 中的 Web Origins。 不确定仍然缺少什么才能使其正常工作。

【问题讨论】：

你使用哪个keycloak版本？

图片：quay.io/keycloak/keycloak:latest

【参考方案1】：

您是否尝试在控制器类和存储库类上使用 @CrossOrigin(origins="http://localhost:8081")？

还结合它：尝试在主 SpringBoot Application 类中添加 WebConfigurer Bean 并使用 @CrossOrigin(origins="http://localhost:8081") 进行注释

    @Bean
    public WebMvcConfigurer corsConfigurer() 
        return new WebMvcConfigurer() 
            @Override
            public void addCorsMappings(CorsRegistry registry) 
                System.out.println("here");
                registry.addMapping("/**").allowedOrigins("http://localhost:8081").allowedMethods("PUT", "DELETE" )
                .allowedHeaders("header1", "header2", "header3")
                .exposedHeaders("header1", "header2")
                .allowCredentials(false).maxAge(3600);;
            
        ;
    

enabling CORS in your application server side.也请访问此链接

【参考方案2】：

您可以使用CorsConfiguration 设置允许的标头。

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

import java.util.Arrays;
import java.util.Collections;
import java.util.List;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter 

    @Override
    protected void configure(HttpSecurity http) throws Exception 
        http.cors().configurationSource(corsConfigurationSource());
    

    CorsConfigurationSource corsConfigurationSource() 
        CorsConfiguration configuration = new CorsConfiguration();
        List<String> allowOrigins = Arrays.asList("*");
        configuration.setAllowedOrigins(allowOrigins);
        configuration.setAllowedMethods(Collections.singletonList("*"));
        configuration.setAllowedHeaders(Collections.singletonList("*"));
        configuration.setAllowCredentials(true);
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;