【发布时间】:2017-06-21 07:17:54
【问题描述】:
Angular2 应用正在向 Spring Boot 发送带有 X-AUTH-TOKEN 标头值的 HTTP GET 请求。每次request.getHeader("X-AUTH-TOKEN") 返回null。
有趣的是,如果我从 ARC 客户端或任何其他 rest 客户端发送请求,它工作正常。
我还花费了大量时间确保 Angular HTTP GET 请求正在发送 JWT 令牌。
角度代码
getCandidatesByUserId(userId: number): Observable<Candidate[]> {
let headers = new Headers({ 'X-AUTH-TOKEN': 'let-jwt-test-token-in' });
console.log('Token is '+ headers.get('X-AUTH-TOKEN'));
return this.http.get(this.url+userId+'/candidates', {
headers: headers
})
.map((response: Response) => <Candidate[]> response.json())
.do(data => console.log('All: '+ JSON.stringify(data)))
.catch(this.handleError);
}
JWTFilter
@Override
public void doFilter(ServletRequest request, ServletResponse res, FilterChain filterChain)
throws IOException, ServletException {
try {
final HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "X-AUTH-TOKEN, Content-Type, Accept");
response.setHeader("Access-Control-Expose-Headers", "X-AUTH-TOKEN, Content-Type");
HttpServletRequest httpRequest = (HttpServletRequest) request;
Map<String, String> blackListedTokenMap =
(Map<String, String>) ((HttpServletRequest) request)
.getSession()
.getServletContext()
.getAttribute(WebAppListener.TOKEN_BLACK_LIST_MAP);
String authToken = authenticationService.getToken(httpRequest);
if (authToken != null && blackListedTokenMap.containsValue(authToken)) {
throw new RuntimeException("token invalidated");
}
UserAuthentication authentication = (UserAuthentication) authenticationService.getAuthentication(httpRequest);
SecurityContextHolder.getContext().setAuthentication(authentication);
filterChain.doFilter(request, response);
SecurityContextHolder.getContext().setAuthentication(null);
} catch (RuntimeException e) {
((HttpServletResponse) res).sendError(HttpServletResponse.SC_UNAUTHORIZED);
}
}
SpringSecurityConfig
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.csrfTokenRepository(new HttpSessionCsrfTokenRepository())
.requireCsrfProtectionMatcher(new AntPathRequestMatcher("*/*"));
http
.exceptionHandling()
.and()
.anonymous()
.and()
.servletApi()
.and()
.headers()
.cacheControl();
http
//.addFilterBefore(corsFilter, ChannelProcessingFilter.class)
.authorizeRequests()
.antMatchers("/resources/**").permitAll()// allow for static resources
.antMatchers("/signup").permitAll()
.antMatchers("/forgot").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/reset").permitAll()
.antMatchers("/health").permitAll()
.antMatchers("/hello").permitAll()
.antMatchers("/").permitAll()
.antMatchers("/reset_pw").permitAll()
.anyRequest().authenticated()
.and()
.addFilterAfter(new JJWTFilter(tokenAuthenticationService),
UsernamePasswordAuthenticationFilter.class);
}
【问题讨论】:
-
你用的是spring boot吗?我最近有一个类似的问题。一个应用程序在过滤器上使用 Authorization 标头而崩溃。它是空的。确定 @EnableWebMvc 注释搞砸了。
-
@LucasHolt 是的。我在后端使用
SpringBoot,但在任何地方都没有使用@EnableWebMvc。 -
嗨,有这方面的消息吗?我有同样的问题。我可以通过邮递员拨打电话,但不能通过我的 Angular 应用程序拨打电话。
标签: spring angular spring-boot spring-security