Fatal编程技术网
  • java/
  • Java 无效JWT令牌上的Spring安全访问控制允许源代码:*(CORS)问题

Java 无效JWT令牌上的Spring安全访问控制允许源代码:*(CORS)问题

java spring-boot spring-security jwt microservices

Java 无效JWT令牌上的Spring安全访问控制允许源代码:*(CORS)问题,java,spring-boot,spring-security,jwt,microservices,Java,Spring Boot,Spring Security,Jwt,Microservices,我在Spring Boot应用程序中配置了JWT安全性和Spring安全性。我对你有意见 Access-Control-Allow-Origin: * 标题,也称为CORS。我配置了应用程序,以便在每个服务器响应中都有标头,但一旦JWT令牌无效,服务器响应将显示403错误代码,但不允许访问控制源:*标头。这会导致浏览器将错误消息写入控制台: 加载失败http://... 未显示“访问控制允许来源”标题 在请求的资源上显示。起源'http://...因此, 不允许访问。响应的HTTP状态代码为4

我在Spring Boot应用程序中配置了JWT安全性和Spring安全性。我对你有意见

Access-Control-Allow-Origin: *
标题,也称为CORS。我配置了应用程序,以便在每个服务器响应中都有标头,但一旦JWT令牌无效,服务器响应将显示403错误代码,但不允许访问控制源:*标头。这会导致浏览器将错误消息写入控制台:

加载失败http://... 未显示“访问控制允许来源”标题 在请求的资源上显示。起源'http://...因此, 不允许访问。响应的HTTP状态代码为403

这似乎是错误的,我希望获得Access Control Allow Origin:*响应中的标头,即使JWT令牌无效,服务器响应中有403错误代码。

现在我尝试了什么和我的代码

依赖项:

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.0.5.RELEASE</version>
    <relativePath/> <!-- lookup parent from repository -->
</parent>
...

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
这里是JwtAuthenticationFilter类。请注意,为了验证令牌,它通过http调用其他微服务。此外,我的应用程序没有登录端点,因为登录是在其他microservice应用程序上实现的

public class JwtAuthenticationFilter extends BasicAuthenticationFilter {

    private String header;
    private String prefix;
    private String validateLink;

    public JwtAuthenticationFilter(String header, String prefix, String validateLink) {
        super(new AuthenticationManager() {
            public Authentication authenticate(Authentication authentication) throws AuthenticationException{
                return null;
            }
        });
        this.header = header;
        this.prefix = prefix;
        this.validateLink = validateLink;
    } 

    @Override
    protected void doFilterInternal(HttpServletRequest request, 
            HttpServletResponse response, 
            FilterChain chain)
            throws ServletException, IOException {

        // 1. get the authentication header. Tokens are supposed to be passed in the
        // authentication header
        String headerValue = request.getHeader(header);

        // 2. validate the header and check the prefix
        if (headerValue == null || !headerValue.startsWith(prefix)) {
            chain.doFilter(request, response); // If not valid, go to the next filter.
            return;
        }
        // 3. Get the token     
        String token = headerValue.replace(prefix, ""); 

        try {

            GatewayResponse gatewayResponse = validate(token);

            String userId = gatewayResponse.getUserId();

            /*
            Roles could come from gateway or loaded from current
            microservice database by user id. They are
            hardcoded here to illustrate how to populate
            SecurityContextHolder
            */
            List<String> authorities = new LinkedList<String>();
            authorities.add("USER");
            authorities.add("ADMIN");

            UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(userId, null,
                    authorities.stream().map(SimpleGrantedAuthority::new).collect(Collectors.toList()));
            SecurityContextHolder.getContext().setAuthentication(auth);
            addTokenToResponse(gatewayResponse.getAuthHeader(), response);
        } catch (Exception e) {
            // In case of failure. Make sure it's clear; so guarantee user won't be
            // authenticated
            SecurityContextHolder.clearContext();
        }

        // go to the next filter in the filter chain
        chain.doFilter(request, response);
    }

    private void addTokenToResponse(String authHeaderValue, HttpServletResponse response) {
        response.addHeader(header, prefix+authHeaderValue);
    }

    private GatewayResponse validate(String token) {
        /HTTP call here, returns null if invalid token
        ...
    }
}

公共类JwtAuthenticationFilter扩展了基本身份验证筛选器{
私有字符串头;
私有字符串前缀;
私有字符串验证;
公共JwtAuthenticationFilter(字符串头、字符串前缀、字符串validateLink){
超级(新身份验证管理器(){
公共身份验证(身份验证)引发AuthenticationException{
返回null;
}
});
this.header=头;
this.prefix=前缀;
this.validateLink=validateLink;
} 
@凌驾
受保护的无效doFilterInternal(HttpServletRequest请求,
HttpServletResponse,
过滤链(链条)
抛出ServletException、IOException{
//1.获取身份验证标头。令牌应该在
//认证头
字符串headerValue=request.getHeader(header);
//2.验证标头并检查前缀
if(headerValue==null | |!headerValue.startsWith(前缀)){
chain.doFilter(请求、响应);//如果无效,请转到下一个筛选器。
返回;
}
//3.拿到代币
字符串标记=headerValue.replace(前缀“”);
试一试{
网关响应网关响应=验证(令牌);
字符串userId=gatewaysresponse.getUserId();
/*
角色可以来自网关,也可以从当前服务器加载
按用户id列出的microservice数据库。它们是
此处硬编码以说明如何填充
SecurityContextHolder
*/
列表权限=新建LinkedList();
权限。添加(“用户”);
权限。添加(“管理”);
UsernamePasswordAuthenticationToken auth=新的UsernamePasswordAuthenticationToken(userId,null,
authorities.stream();
SecurityContextHolder.getContext().setAuthentication(auth);
addTokenToResponse(gatewayResponse.getAuthHeader(),response);
}捕获(例外e){
//万一出现故障,请确保它是清晰的,这样才能保证用户不会
//认证
SecurityContextHolder.clearContext();
}
//转到过滤器链中的下一个过滤器
链式过滤器(请求、响应);
}
私有void addTokenToResponse(字符串authHeaderValue,HttpServletResponse){
addHeader(头,前缀+authHeaderValue);
}
专用网关响应验证(字符串令牌){
/HTTP调用,如果令牌无效,则返回null
...
}
}
存在类似问题,无法使其与CorsConfiguration Source一起工作。只有基于过滤器的CORS支持有助于:

@Bean
public FilterRegistrationBean filterRegistrationBean() {
    final CorsConfiguration config = new CorsConfiguration();

    config.setAllowCredentials(true);
    config.addAllowedOrigin("http://localhost:4200");
    config.addAllowedHeader("*");
    config.addAllowedMethod("*");

    final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", config);

    FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
    bean.setOrder(Ordered.HIGHEST_PRECEDENCE);

    return bean;
}
尝试使用CrosFilter。找到下面的示例

@Bean
public CorsFilter corsFilter() {
    final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    final CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowCredentials(true);
    configuration.addAllowedOrigin("*");
    configuration.addAllowedHeader("*");
    configuration.addAllowedMethod("OPTIONS");
    configuration.addAllowedMethod("HEAD");
    configuration.addAllowedMethod("GET");
    configuration.addAllowedMethod("PUT");
    configuration.addAllowedMethod("POST");
    configuration.addAllowedMethod("DELETE");
    configuration.addAllowedMethod("PATCH");
    source.registerCorsConfiguration("/**", configuration);
    return new CorsFilter(source);
}
为过滤器链中的CorsFilter设置最高优先级有效。 
@Bean
public CorsFilter corsFilter() {
    final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    final CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowCredentials(true);
    configuration.addAllowedOrigin("*");
    configuration.addAllowedHeader("*");
    configuration.addAllowedMethod("OPTIONS");
    configuration.addAllowedMethod("HEAD");
    configuration.addAllowedMethod("GET");
    configuration.addAllowedMethod("PUT");
    configuration.addAllowedMethod("POST");
    configuration.addAllowedMethod("DELETE");
    configuration.addAllowedMethod("PATCH");
    source.registerCorsConfiguration("/**", configuration);
    return new CorsFilter(source);
}