Spring boot 如何使用spring security在spring boot中启用CORS
我已经实现了Spring boot 如何使用spring security在spring boot中启用CORS,spring-boot,spring-security,cors,Spring Boot,Spring Security,Cors,我已经实现了WebMVCConfigureAdapter,还添加了CorsFilter并配置了头文件 @EnableWebMvc @Configuration public class WebConfig extends WebMvcConfigurerAdapter { @Override public void addCorsMappings( CorsRegistry registry ) { registry.addMapping("/**").
WebMVCConfigureAdapter
,还添加了CorsFilter
并配置了头文件
@EnableWebMvc
@Configuration
public class WebConfig extends WebMvcConfigurerAdapter {
@Override
public void addCorsMappings( CorsRegistry registry )
{
registry.addMapping("/**").allowedOrigins("http://localhost:3000").allowCredentials(false);
}
}
@Slf4j
public class CustomCorsFilter implements javax.servlet.Filter {
@Override
public void init( FilterConfig filterConfig ) throws ServletException
{
}
@Override
public void doFilter( ServletRequest req, ServletResponse res, FilterChain chain )
throws IOException, ServletException
{
if( req instanceof HttpServletRequest && res instanceof HttpServletResponse )
{
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
// Access-Control-Allow-Origin
String origin = request.getHeader("Origin");
response.setHeader("Access-Control-Allow-Origin", "http://localhost:3000");
response.setHeader("Vary", "Origin");
// Access-Control-Max-Age
response.setHeader("Access-Control-Max-Age", "3600");
// Access-Control-Allow-Credentials
response.setHeader("Access-Control-Allow-Credentials", "false");
// Access-Control-Allow-Methods
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
// Access-Control-Allow-Headers
response.setHeader("Access-Control-Allow-Headers",
"Origin, X-Requested-With, Content-Type, Accept, " + "X-CSRF-TOKEN");
log.info("********************** Configured ****************************************");
}
chain.doFilter(req, res);
}
@Override
public void destroy()
{
}
}
我还有另外两个过滤器,它们执行身份验证
和授权
。但是,当本地系统中的前端应用程序尝试访问API时,我得到以下错误:
Access to XMLHttpRequest at 'http://3.12.228.75:8090/rest/noauth/otp/sandesha@test.com' from origin 'http://0.0.0.0:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
如何解决这个问题?我使用的是spring boot 1.5.10
我的WebSecurityConfig
类是
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private BCryptPasswordEncoder bCryptPasswordEncoder;
@Autowired
private CustomLogoutHandler logoutHandler;
@Autowired
private HttpLogoutSuccessHandler logoutSuccessHandler;
@Autowired
private UserModelRepository userModelRepository;
@Autowired
private RefreshTokenService refreshTokenService;
@Autowired
private AuthTokenModelRepository authTokenModelRepository;
@Autowired
private UserActivitiesRepository userActivitiesRepository;
@Autowired
private UserSubscriptionRepository userSubscriptionRepository;
@Autowired
private HandlerExceptionResolver handlerExceptionResolver;
@Autowired
private StringRedisTemplate redisTemplate;
@Autowired
private UserService userService;
@Override
protected void configure( HttpSecurity http ) throws Exception
{
http.csrf().disable()
.authorizeRequests()
.antMatchers("/rest/noauth/**").permitAll()
.antMatchers("/rest/login").permitAll()
.antMatchers("/rest/logout").permitAll()
.antMatchers("/static/**").permitAll()
.antMatchers("/ws/**").permitAll()
.antMatchers("/rest/razorpay/hook").permitAll()
.antMatchers("/rest/user/cc").permitAll()
.antMatchers("/v2/api-docs/**", "/configuration/ui/**", "/swagger-resources/**",
"/configuration/security/**", "/swagger-ui.html/**", "/webjars/**")
.permitAll()
.antMatchers("/rest/file/invoiceFileDownload", "/rest/file/fileDownload", "/rest/file/fileDownload/**")
.permitAll()
.anyRequest().authenticated()
.and()
.logout().addLogoutHandler(logoutHandler).logoutSuccessHandler(logoutSuccessHandler)
.logoutUrl("/rest/logout")
.and()
.addFilterBefore(
new JWTAuthenticationFilter("/rest/login", tokenService(), refreshTokenService,
authTokenModelRepository, userService, userActivitiesRepository,
handlerExceptionResolver, bCryptPasswordEncoder, redisTemplate),
UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(new JWTAuthorizationFilter(authenticationManager(), authTokenModelRepository,
userSubscriptionRepository, handlerExceptionResolver, redisTemplate),
UsernamePasswordAuthenticationFilter.class);
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Override
public void configure( AuthenticationManagerBuilder auth ) throws Exception
{
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
}
@Bean
public TokenService tokenService()
{
return new TokenService(userModelRepository);
}
}
您必须保持配置的值与实际请求的值相同。
这里您可以从
0.0.0.0:3000
请求,并将头设置为localhost:3000
。在org.springframework.web.cors.corscoconfiguration#checkOrigin
中会发生字符串比较,在您的情况下会失败 我也将其更改为0.0.0.0:3000
,但它失败了