CORS 起源问题 - Spring Boot 和 Angular 4

【问题标题】:CORS Origin issue - Spring Boot & Angular 4CORS 起源问题 - Spring Boot 和 Angular 4
【发布时间】:2018-10-30 08:30:22
【问题描述】:

我目前正在处理 Angular 4 FrontEnd AppSpring Boot Backend App 之间的 JWT 身份验证,服务器端的一切工作正常,我在身份验证级别遇到的问题如下。

这发生在我获得登录请求已成功处理的 200 OK 状态后,如下图所示。

在我用于安全应用程序和登录处理的配置下方。

    public class JWTAuthorizationFiler extends OncePerRequestFilter {

        @SuppressWarnings("unchecked")
        @Override
        protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
                throws ServletException, IOException {

            response.addHeader("Access-Control-Allow-Origin", "*");
            response.addHeader("Access-Control-Allow-Headers", "Origin, Accept, X-Requested-With, Content-Type, "
                    + "Access-Control-Request-Method, Access-Control-Request-Headers, authorization");
            response.addHeader("Access-Control-Expose-Headers",
                    "Access-Control-Allow-Origin, Access-Control-Allow-Credentials, authorization");

            if (request.getMethod().equals("OPTIONS")) {
                response.setStatus(HttpServletResponse.SC_OK);
            }

            String jwt = request.getHeader(SecurityConstants.HEADER_STRING);
            if (jwt == null || !jwt.startsWith(SecurityConstants.TOKEN_PREFIX)) {
                filterChain.doFilter(request, response);
                return;
            }

            Claims claims = Jwts.parser().setSigningKey(SecurityConstants.SECRET)
                    .parseClaimsJws(jwt.replace(SecurityConstants.TOKEN_PREFIX, "")).getBody();

            String username = claims.getSubject();
            ArrayList<Map<String, String>> roles = (ArrayList<Map<String, String>>) claims.get("roles");

            Collection<GrantedAuthority> authorities = new ArrayList<>();
            roles.forEach(r -> {
                authorities.add(new SimpleGrantedAuthority(r.get("authority")));
            });

            UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(username,
                    null, authorities);

            SecurityContextHolder.getContext().setAuthentication(authenticationToken);
            filterChain.doFilter(request, response);
        }
    }



    @Configuration
    @EnableWebSecurity
    public class SecurityConfig extends WebSecurityConfigurerAdapter {

        @Autowired
        private UserDetailsService userDetailsService;
        @Autowired
        private BCryptPasswordEncoder bCyptPasswordEncoder;

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth.userDetailsService(userDetailsService).passwordEncoder(bCyptPasswordEncoder);
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.csrf().disable();
            http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

            // http.formLogin();
            http.authorizeRequests().antMatchers("/login/**", "/register/**", "/paramsApi/**").permitAll();
            http.authorizeRequests().antMatchers(HttpMethod.POST, "/studentResource/**").hasAuthority("ADMIN");
            http.authorizeRequests().antMatchers(HttpMethod.GET, "/studentResource/**").hasAuthority("ADMIN");
            http.authorizeRequests().anyRequest().authenticated();
            http.addFilter(new JWTAuthenticationFilter(authenticationManager()));
            http.addFilterBefore(new JWTAuthorizationFiler(), UsernamePasswordAuthenticationFilter.class);
        }
    }

我认为 JWTAuthorizationFilter.java 是这个问题的主要原因,非常感谢任何解决这个问题的方法。

【问题讨论】:

    标签: angular spring-boot spring-security cors jwt


    【解决方案1】:

    SecurityConfig 类的configure 方法中,您必须像这样启用 CORS 

    http.cors().and() ...//continue the rest of the configuration..

    通过定义http.cors(),它将默认使用名称为 bean

    corsConfigurationSource 在这种情况下,您还必须在 SecurityConfig 类中定义一个 bean,它将保存 CORS 配置。

        @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("https://localhost:4200"));
        configuration.setAllowedMethods(Arrays.asList("GET","POST"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }

    您可以使用 WebMvcConfigureAdapter 类来启用 CORS 还有

        @Configuration
    @EnableWebMvc
    public class WebConfig extends WebMvcConfigurerAdapter {

        @Override
        public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/api/**")
        .allowedOrigins("your url or just add * ")
        .allowedMethods("PUT", "DELETE")
            .allowedHeaders("header1", "header2", "header3")
        .exposedHeaders("header1", "header2")
        .allowCredentials(false).maxAge(3600);
        }

    }

    可能不需要完整的配置,只需删除不必要的方法,如 allowedMethods、allowedHeaders 和暴露的Headers 。

    欲了解更多信息,请通过 https://spring.io/blog/2015/06/08/cors-support-in-spring-framework & https://docs.spring.io/spring-security/site/docs/current/reference/html/cors.html

    【讨论】:

      猜你喜欢
      • 2020-09-08
      • 2017-04-13
      • 2021-09-26
      • 2021-04-11
      • 2015-05-13
      • 1970-01-01
      • 2017-09-09
      • 2021-05-22
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode