Spring CorsWebFilter不使用已分配hasAnyRole(…)的安全路由,但使用已分配permitAll()的安全路由
然而,当我使用邮递员时,所有路线都有效。但在我的javascript应用程序中,只有开放路由(那些使用permitAll()的路由)有效,即使我传递了正确的JWT令牌,安全路由也会返回下面的错误 访问位于的XMLHttpRequest '' 来自源“”已被CORS策略阻止: 请求的服务器上不存在“Access Control Allow Origin”标头 资源 以下是我的spring安全配置:Spring CorsWebFilter不使用已分配hasAnyRole(…)的安全路由,但使用已分配permitAll()的安全路由,spring,spring-boot,kotlin,spring-security,spring-webflux,Spring,Spring Boot,Kotlin,Spring Security,Spring Webflux,然而,当我使用邮递员时,所有路线都有效。但在我的javascript应用程序中,只有开放路由(那些使用permitAll()的路由)有效,即使我传递了正确的JWT令牌,安全路由也会返回下面的错误 访问位于的XMLHttpRequest '' 来自源“”已被CORS策略阻止: 请求的服务器上不存在“Access Control Allow Origin”标头 资源 以下是我的spring安全配置: @EnableWebFluxSecurity @EnableReactiveMethodSecuri
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
class AppSecurity(val authManager: AuthenticationManager,
val securityContextRepository: SecurityContextRepository) {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http.csrf().disable()
.formLogin().disable()
.httpBasic().disable()
.authenticationManager(authManager)
.securityContextRepository(securityContextRepository)
.authorizeExchange()
.pathMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.pathMatchers(HttpMethod.POST, "/apiv1/user", "/apiv1/user/login").permitAll()
.pathMatchers(HttpMethod.GET, "/apiv1/user", "/apiv1/user/**").permitAll()
.pathMatchers(HttpMethod.POST, "/apiv1/shopping/**").hasAnyRole("ROLE_CLIENT", "ROLE_ADMIN")
.pathMatchers(HttpMethod.GET, "/apiv1/shopping/**").hasAnyRole("ROLE_CLIENT", "ROLE_ADMIN")
.anyExchange().authenticated()
.and().build()
}
@Bean
fun corsWebFilter(): CorsWebFilter {
val corsConfig = CorsConfiguration()
corsConfig.allowCredentials = true
corsConfig.allowedOrigins = mutableListOf("*")
corsConfig.allowedMethods = mutableListOf("*")
corsConfig.allowedHeaders = mutableListOf("*")
val source = UrlBasedCorsConfigurationSource()
source.registerCorsConfiguration("/**", corsConfig)
return CorsWebFilter(source)
}
}
我按照下面链接中的官方文档设法修复了它。要点是必须在spring security之前处理CORS 这是我的最终代码:
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
class AppSecurity(val authManager: AuthenticationManager,
val securityContextRepository: SecurityContextRepository) {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http.cors(Customizer.withDefaults()).csrf().disable()
.formLogin().disable()
.httpBasic().disable()
.authenticationManager(authManager)
.securityContextRepository(securityContextRepository)
.authorizeExchange()
.pathMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.pathMatchers(HttpMethod.POST, "/apiv1/user", "/apiv1/user/login").permitAll()
.pathMatchers(HttpMethod.GET, "/apiv1/user", "/apiv1/user/**").permitAll()
.pathMatchers(HttpMethod.POST, "/apiv1/shopping/**").hasAnyRole("ROLE_CLIENT", "ROLE_ADMIN")
.pathMatchers(HttpMethod.GET, "/apiv1/shopping/**").hasAnyRole("ROLE_CLIENT", "ROLE_ADMIN")
.anyExchange().authenticated()
.and().build()
}
@Bean
fun corsConfigurationSource(): CorsConfigurationSource {
val configuration = CorsConfiguration()
configuration.allowCredentials = true
configuration.allowedOrigins = mutableListOf("*")
configuration.allowedMethods = mutableListOf("*")
configuration.allowedHeaders = mutableListOf("*")
val source = UrlBasedCorsConfigurationSource()
source.registerCorsConfiguration("/**", configuration)
return source
}
}