[英]Spring CorsFilter does not seem to work still receiving a 401 on preflight requests
Hi I'm new to spring security and trying to figure out how to configure auth server to issue tokens. 嗨,我是Spring Security的新手,正在尝试弄清楚如何配置身份验证服务器以颁发令牌。 the problem i have right now is that I'm receiving 401 or 403 on the Cors preflight requests and not sure how to resolve below is a barebone implementation of it based on few tutorials
我现在遇到的问题是,我在Cors预检请求中收到401或403,不确定下面如何解决是基于一些教程的准系统实现
https://spring.io/blog/2015/06/08/cors-support-in-spring-framework http://www.baeldung.com/spring-security-oauth-jwt https://spring.io/blog/2015/06/08/cors-support-in-spring-framework http://www.baeldung.com/spring-security-oauth-jwt
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity
@PropertySource(value = "classpath:oauth.properties")
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserRepository userRepository;
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.authenticationProvider(authenticationProvider());
}
@Override
public void configure(WebSecurity web) throws Exception {
super.configure(web);
}
@Autowired
ObjectMapper mapper;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests().antMatchers(HttpMethod.OPTIONS,"/oauth/token").permitAll()
.anyRequest().authenticated();
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception{
auth.inMemoryAuthentication().
withUser("john").password("123").roles("USER").
and().
withUser("tom").password("111").roles("ADMIN");
}
@Bean
public FilterRegistrationBean corsFilter() {
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter2());
bean.setOrder(0);
return bean;
}
}
@Configuration
@EnableAuthorizationServer
public class OAuth2ServerConfig extends AuthorizationServerConfigurerAdapter{
@Autowired
private Environment env;
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer){
oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception{
clients.inMemory().withClient("acme").secret("acmesecret").authorizedGrantTypes("authorization_code", "refresh_token",
"password").scopes("openId");
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints){
final TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer(),accessTokenConverter()));
endpoints.tokenStore(tokenStore())
.tokenEnhancer(tokenEnhancerChain)
.authenticationManager(authenticationManager);
}
@Bean
public JwtAccessTokenConverter accessTokenConverter(){
final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
return converter;
}
@Bean
public TokenStore tokenStore(){
return new JwtTokenStore(accessTokenConverter());
}
@Bean
public FilterRegistrationBean corsFilter() {
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter2());
bean.setOrder(0);
return bean;
}
@Bean
@Primary
public DefaultTokenServices tokenServices() {
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
defaultTokenServices.setSupportRefreshToken(true);
return defaultTokenServices;
}
}
the CorsFilter2 is spring cors filter that was introduced in spring 4.2 I was i'm using it to insert the proper response headers to send back to the client. CorsFilter2是在春季4.2中引入的spring cors过滤器,当时我正在使用它来插入适当的响应头以发送回客户端。
So I figured out what my problem I had to configure my websecurity to ignore CoresRequest request as well so inside the configure block for the websecurity i had to set this 因此,我想出了我必须配置Web安全性以忽略CoresRequest请求的问题,因此必须在WebSecurity的configure块中设置此设置
web.ignoring().requestMatchers(CorsUtils::isPreFlightRequest);
and it started to work. 它开始起作用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.