CORS 在同时存在 ResourceServerConfigurerAdapter 和 WebSecurityConfigurerAdapter 的项目中不起作用

Question

我遇到了这个项目，以解决服务器响应 401 未授权 OPTIONS 请求的问题。

我查看了项目（这是一个捆绑为耳朵而不是引导的 Spring 5 项目）发现有一个 CORS 过滤器。然后我查看了安全配置，发现有两个。

//@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private CustomUserDetailsService customUserDetailsService;

    @Bean
    public CustomDaoAuthenticationProvider authenticationProvier() {
        CustomDaoAuthenticationProvider customProvider = new CustomDaoAuthenticationProvider();
        customProvider.setUserDetailsService(customUserDetailsService);
        customProvider.setPasswordEncoder(passwordEncoder());
        return customProvider;
    }

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authenticationProvier());

    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http
                .cors()
                .and()
                .csrf().disable()
                .anonymous().disable()
                .authorizeRequests()
                .antMatchers("/**").permitAll();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder(10);
    }

}

第二个是

@Configuration
@EnableResourceServer
@EnableWebSecurity
public class OAuth2ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(final HttpSecurity http) throws Exception {

        http.anonymous().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .csrf().disable().authorizeRequests()

                .antMatchers(HttpMethod.GET, "/somepath/**").access("#oauth2.hasScope('some_scope') "
                + "and hasAnyRole('role_1','r')")
                ....
                .anyRequest().authenticated();
    }

    @Override
    public void configure(final ResourceServerSecurityConfigurer config) {
        config.tokenServices(tokenServices());
    }

    @Bean
    public TokenStore tokenStore() {
        return new JwtTokenStore(accessTokenConverter());
    }

    @Bean
    public JwtAccessTokenConverter accessTokenConverter() {
        final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();

        ClassPathResource resource = new ClassPathResource("id_rsa.pub");
        String publicKey = null;
        try {
            publicKey = new String(FileCopyUtils.copyToByteArray(resource.getInputStream()));
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
        converter.setVerifierKey(publicKey);
        return converter;
    }

    @Bean
    @Primary
    public DefaultTokenServices tokenServices() {
        final DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
        defaultTokenServices.setTokenStore(tokenStore());
        return defaultTokenServices;
    }

}

在阅读了与此相关的问题后，我认为 OAuth2ResourceServerConfig 优先于 WebSecurityConfig（问题 here）。

那么在当前集合中是否同时检查令牌和密码？ 如果我增加 WebSecurityConfig 的优先级，它将解决问题。如果我在这里误解了任何内容，请为我解决。

Answer 1

我也遇到了同样的问题！

所以我做了什么，我只是隐式地交换了OPTIONS 请求。因为可选请求只是从浏览器到服务器来检查Service是否工作。

如果您注意到，当我们从 POSTMAN 测试端点时，则不会出现此问题。

所以我做了什么

@Component
public class SecretKeyFilter implements WebFilter {

    @Override
    public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
        ServerHttpRequest request = exchange.getRequest();
        HttpHeaders headers = request.getHeaders();

        if(!request.getMethod().name().equals("OPTIONS"))
        {
            
          /**
           * Do the authentication and valication of your request here.
           *
          **/
        }

        return chain.filter(exchange);
    }
}