Spring CorsFilter似乎仍然没有在预检请求上收到401
嗨,我刚开始尝试弹出安全性,并试图找出如何配置auth服务器来发出令牌。 我现在遇到的问题是我在Cors预检请求上收到了401或403,并且不确定如何解决以下是基于少数教程的裸机实现
https://spring.io/blog/2015/06/08/cors-support-in-spring-framework http://www.baeldung.com/spring-security-oauth-jwt
@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity @PropertySource(value = "classpath:oauth.properties") public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired UserRepository userRepository; @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(authenticationProvider()); } @Override public void configure(WebSecurity web) throws Exception { super.configure(web); } @Autowired ObjectMapper mapper; @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable(); http.authorizeRequests().antMatchers(HttpMethod.OPTIONS,"/oauth/token").permitAll() .anyRequest().authenticated(); } @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Override protected void configure(final AuthenticationManagerBuilder auth) throws Exception{ auth.inMemoryAuthentication(). withUser("john").password("123").roles("USER"). and(). withUser("tom").password("111").roles("ADMIN"); } @Bean public FilterRegistrationBean corsFilter() { FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter2()); bean.setOrder(0); return bean; } } @Configuration @EnableAuthorizationServer public class OAuth2ServerConfig extends AuthorizationServerConfigurerAdapter{ @Autowired private Environment env; @Autowired @Qualifier("authenticationManagerBean") private AuthenticationManager authenticationManager; @Override public void configure(AuthorizationServerSecurityConfigurer oauthServer){ oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()"); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception{ clients.inMemory().withClient("acme").secret("acmesecret").authorizedGrantTypes("authorization_code", "refresh_token", "password").scopes("openId"); } @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints){ final TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain(); tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer(),accessTokenConverter())); endpoints.tokenStore(tokenStore()) .tokenEnhancer(tokenEnhancerChain) .authenticationManager(authenticationManager); } @Bean public JwtAccessTokenConverter accessTokenConverter(){ final JwtAccessTokenConverter converter = new JwtAccessTokenConverter(); return converter; } @Bean public TokenStore tokenStore(){ return new JwtTokenStore(accessTokenConverter()); } @Bean public FilterRegistrationBean corsFilter() { FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter2()); bean.setOrder(0); return bean; } @Bean @Primary public DefaultTokenServices tokenServices() { DefaultTokenServices defaultTokenServices = new DefaultTokenServices(); defaultTokenServices.setTokenStore(tokenStore()); defaultTokenServices.setSupportRefreshToken(true); return defaultTokenServices; } }
CorsFilter2是在春季4.2中引入的spring corsfilter我正在使用它来插入适当的响应头以发送回客户端。
所以我想出了我的问题,我必须配置我的websecurity以忽略CoresRequest请求,所以在websecurity的配置块内我必须设置这个
web.ignoring().requestMatchers(CorsUtils::isPreFlightRequest);
它开始起作用了。
- Spring Global CORS配置不起作用,但控制器级配置不起作用
- 在ContainerResponseFilter中获得响应(JAX-RS 2)
- IE11 CORS拒绝https上的OPTIONS
- 在Spring 5 Webflux中启用CORS?
- 如何将Cross Origin资源共享与Spring MVC 4.0.0 RESTful Webservice集成
- Spring Security的跨源资源共享
- Access-Control-Allow-Origin在ajax调用泽西restWeb服务中
- 请求的资源上不存在Access-Control-Allow-Origin标头
- 预检的响应具有无效的HTTP状态代码401 – Spring