[英]Spring Boot Data Rest + CORS not being enabled properly for OPTIONS/DELETE
I've got an extremely simple example that I can't get to work.我有一个非常简单的例子,我无法开始工作。
I have my domain that models my database, and my Repository.我有我的域来模拟我的数据库和我的存储库。
public interface MyTestRepository extends CrudRepository<MyTest, Integer> {
}
I used http://resttesttest.com/ to test it.我使用http://resttesttest.com/来测试它。 For GET Method's it returns me the JSON REST information without any issue.
对于 GET 方法,它会毫无问题地返回 JSON REST 信息。
I can query the endpoint http://localhost:8080/mytest/1 and I get back the information for id=1 from the database.我可以查询端点http://localhost:8080/mytest/1并从数据库中获取 id=1 的信息。
However, the problem comes in when I try to use the DELETE option.但是,当我尝试使用 DELETE 选项时,问题就出现了。 If I run a DELETE on http://localhost:8080/mytest/1 I get
如果我在http://localhost:8080/mytest/1上运行 DELETE 我得到
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
对预检请求的响应未通过访问控制检查:请求的资源上不存在“Access-Control-Allow-Origin”标头。 Origin ' http://resttesttest.com ' is therefore not allowed access.
因此,不允许访问 Origin ' http://resttesttest.com '。 The response had HTTP status code 403.
响应具有 HTTP 状态代码 403。
I initially tried the following, but found out that I can't use it because I'm using Spring-data-Rest.我最初尝试了以下方法,但发现我无法使用它,因为我使用的是 Spring-data-Rest。 https://jira.spring.io/browse/DATAREST-573
https://jira.spring.io/browse/DATAREST-573
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("*")
.allowedMethods("*")
.allowedHeaders("*")
.allowCredentials(true).maxAge(3600);
}
I googled around and found this.我用谷歌搜索并找到了这个。
How to configure CORS in a Spring Boot + Spring Security application? 如何在 Spring Boot + Spring Security 应用程序中配置 CORS?
So I added所以我加了
@Bean
public FilterRegistrationBean corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
source.registerCorsConfiguration("/**", config);
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
bean.setOrder(0);
return bean;
}
I also found this thread.我也找到了这个线程。
Spring Data Rest and Cors Spring Data Rest 和 Cors
and tried the following code as well, but no luck.并尝试了以下代码,但没有运气。
@Bean
public FilterRegistrationBean corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.addAllowedMethod("OPTIONS");
config.addAllowedMethod("HEAD");
config.addAllowedMethod("GET");
config.addAllowedMethod("PUT");
config.addAllowedMethod("POST");
config.addAllowedMethod("DELETE");
config.addAllowedMethod("PATCH");
source.registerCorsConfiguration("/**", config);
// return new CorsFilter(source);
final FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
bean.setOrder(0);
return bean;
}
I added a catch all to test which should allow everything CORS wise to pass, however I still keep getting the No 'Access-Control-Allow-Origin' even though I have "*".我添加了一个 catch all 来测试,它应该允许所有 CORS 明智地通过,但是即使我有“*”,我仍然不断得到 No 'Access-Control-Allow-Origin'。
At this point I have no idea what I am missing on why the preflight request doesn't pass access control check.在这一点上,我不知道为什么预检请求没有通过访问控制检查。
curl has no problem issuing the delete. curl 发出删除没有问题。
Edit:编辑:
Ended up finding the exact solution.最终找到了确切的解决方案。 I'm not sure of the differences between what I have and this method, but this seems to work.
我不确定我所拥有的和这种方法之间的区别,但这似乎有效。
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* Note this is a very simple CORS filter that is wide open.
* This would need to be locked down.
* Source: https://stackoverflow.com/questions/39565438/no-access-control-allow-origin-error-with-spring-restful-hosted-in-pivotal-web
*/
@Component
public class CORSFilter implements Filter {
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, PUT, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
chain.doFilter(req, res);
}
public void init(FilterConfig filterConfig) {}
public void destroy() {}
}
The following configuration works for me in a Spring Data Rest based application.以下配置适用于基于 Spring Data Rest 的应用程序。 The important point to note is that the filter is registered to execute before the Security Filter chain kicks in.
需要注意的重要一点是,过滤器已注册为在安全过滤器链启动之前执行。
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter
{
@Override
public void configure(HttpSecurity http) throws Exception
{
http.addFilterBefore(corsFilter(), ChannelProcessingFilter.class);
}
@Bean
protected Filter corsFilter()
{
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.addAllowedMethod("OPTIONS");
config.addAllowedMethod("HEAD");
config.addAllowedMethod("GET");
config.addAllowedMethod("PUT");
config.addAllowedMethod("POST");
config.addAllowedMethod("DELETE");
config.addAllowedMethod("PATCH");
config.addExposedHeader("Location");
source.registerCorsConfiguration("/**", config);
return new CorsFilter(source);
}
}
This is what I use as a permit all CORS servlet filter:这是我用作允许所有 CORS servlet 过滤器的内容:
public class PermissiveCORSFilter implements Filter {
private static final Logger LOGGER = LoggerFactory.getLogger(PermissiveCORSFilter.class);
private static final Pattern PATTERN = Pattern.compile("^[a-zA-Z0-9 ,-_]*$");
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
HttpServletRequest request = (HttpServletRequest) req;
String origin;
String credentialFlag;
if (request.getHeader("Origin") == null) {
origin = "*";
credentialFlag = "false";
} else {
origin = request.getHeader("Origin");
credentialFlag = "true";
}
// need to do origin.toString() to avoid findbugs error about response splitting
response.addHeader("Access-Control-Allow-Origin", origin.toString());
response.setHeader("Access-Control-Allow-Credentials", credentialFlag);
if ("OPTIONS".equals(request.getMethod())) {
LOGGER.info("Received OPTIONS request from origin:" + request.getHeader("Origin"));
response.setHeader("Access-Control-Allow-Methods", "GET,POST,HEAD,OPTIONS,PUT,DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
String headers = StringUtils.trimToEmpty(request.getHeader("Access-Control-Request-Headers"));
if (!PATTERN.matcher(headers).matches()) {
throw new ServletException("Invalid value provided for 'Access-Control-Request-Headers' header");
}
response.setHeader("Access-Control-Allow-Headers", headers); // allow any headers
}
chain.doFilter(req, res);
}
@Override
public void init(FilterConfig filterConfig) {
// Do nothing
}
@Override
public void destroy() {
// Do nothing
}
Using Spring Boot 2.2.6使用 Spring Boot 2.2.6
I had to add a filter to allow OPTIONS to work.我不得不添加一个过滤器以允许 OPTIONS 工作。 Without it, I got a 403 Forbidden.
没有它,我得到了一个 403 Forbidden。 The "Origin" request header is what triggered the 403 - I tested in Postman and without sending that header OPTIONS worked without a filter.
“Origin”请求标头是触发 403 的原因 - 我在 Postman 中进行了测试,并且没有发送该标头 OPTIONS 在没有过滤器的情况下工作。
import javax.servlet.*;
import javax.servlet.http.HttpServletResponse;
@Component
public class CORSFilter implements Filter {
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "OPTIONS"); // "POST, GET, PUT, OPTIONS, DELETE"
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
chain.doFilter(req, res);
}
public void init(FilterConfig filterConfig) {}
public void destroy() {}
}
Along with随着
@Configuration
public class ConfigCORS implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("*") allowedOrigins("http://localhost:3000")
.allowedMethods("POST", "PUT", "GET", "DELETE", "OPTIONS")
.allowedHeaders("Content-Type", "Origin")
.exposedHeaders("X-Total-Count", "Location", "Access-Control-Allow-Origin")
.allowCredentials(false)
.maxAge(6000);
}
}
I seem to have the same issue.我似乎有同样的问题。 CrossOrigin config works fine with GET/PUT/POST, but when I request OPTIONS for my Spring PostMapping method the response omits the Access-Control-Allow-Methods header:
CrossOrigin 配置适用于 GET/PUT/POST,但是当我为 Spring PostMapping 方法请求 OPTIONS 时,响应会忽略 Access-Control-Allow-Methods 标头:
@CrossOrigin
public class ArticleController {
@DeleteMapping("/{uuid}")
public void delete(@PathVariable String uuid) throws ArticleNotFoundException {
articleService.delete(uuid);
}
If I curl for DELETE, I get a HTTP 200 including Access-Control-Allow-Methods:如果我为 DELETE 卷曲,我会得到一个 HTTP 200,包括 Access-Control-Allow-Methods:
$ curl -v -H "Access-Control-Request-Method: DELETE" -H "Origin: http://localhost:4200" -X OPTIONS http://localhost:8080/article/someuuid
< HTTP/1.1 200
< Access-Control-Allow-Origin: http://localhost:4200
< Access-Control-Allow-Methods: PUT,POST,GET,DELETE,OPTIONS
< Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS, PATCH
If I curl for OPTIONS, I get a 403:如果我为 OPTIONS 卷曲,我会得到 403:
$ curl -v -H "Access-Control-Request-Method: OPTIONS" -H "Origin: http://localhost:4200" -X OPTIONS http://localhost:8080/article/someuuid
< HTTP/1.1 403
Am I missing something here?我在这里错过了什么吗?
EDIT 1:编辑 1:
If I add this mapping to the controller (based on Enable CORS for OPTIONS request using Spring Framework ):如果我将此映射添加到控制器(基于Enable CORS for OPTIONS request using Spring Framework ):
@RequestMapping(
value = "/**",
method = RequestMethod.OPTIONS
)
public ResponseEntity handle() {
return new ResponseEntity(HttpStatus.OK);
}
This results in:这导致:
$ curl -v -H "Access-Control-Request-Method: OPTIONS" -H "Origin: http://localhost:4200" -X OPTIONS http://localhost:8080/article/someuuid
< HTTP/1.1 200
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: OPTIONS
< Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS, PATCH
But it doesn't solve the issue for Angular which still gives a 403但它并没有解决 Angular 的问题,它仍然给出 403
EDIT 2: I've been able to fix this with the following Controller-code:编辑 2:我已经能够使用以下控制器代码解决这个问题:
@RequestMapping("/article")
@CrossOrigin(origins="http://localhost:4200",
methods = {RequestMethod.PUT, RequestMethod.POST, RequestMethod.GET, RequestMethod.DELETE, RequestMethod.OPTIONS}
)
public class ArticleController {
@RequestMapping(
value = "/{uuid}",
method = { RequestMethod.DELETE })
public void delete(@PathVariable String uuid) throws ArticleNotFoundException {
articleService.delete(uuid);
}
@RequestMapping(method = { RequestMethod.OPTIONS})
public ResponseEntity handle() {
return new ResponseEntity(HttpStatus.OK);
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.