预检响应中的 Access-Control-Allow-Headers 不允许请求 header 字段 x-xsrf-token
[英]Request header field x-xsrf-token is not allowed by Access-Control-Allow-Headers in preflight response
问题描述
SprinBoot keycloak auth swagger is blocked by the browser with message, 
SprinBoot keycloak auth swagger 被浏览器阻止并显示消息,
Request header field x-xsrf-token is not allowed by Access-Control-Allow-Headers in preflight response预检响应中的 Access-Control-Allow-Headers 不允许请求 header 字段 x-xsrf-token
Access to fetch at 'http://localhost:8080/auth/realms/test/protocol/openid-connect/token' from origin 'http://localhost:8081' has been blocked by CORS policy: Request header field x-xsrf-token is not allowed by Access-Control-Allow-Headers in preflight response. CORS 策略已阻止从源“http://localhost:8081”获取“http://localhost:8080/auth/realms/test/protocol/openid-connect/token”的访问权限:请求 header 字段 x- Access-Control-Allow-Headers 在预检响应中不允许使用 xsrf-token。
This cors configs were added to spring boot app,
cors: true
cors-allowed-methods: GET,POST,HEAD,PUT,DELETE,OPTIONS
cors-allowed-headers: x-xsrf-token
as well as, the client url http://localhost:8081 was added to Web Origins in keeycloak.此外,客户端 url http://localhost:8081 被添加到 keeycloak 中的 Web Origins 中。 Not sure what is still missing to get it work.不确定仍然缺少什么才能使其正常工作。
2 个解决方案
解决方案1
1 2020-06-30 20:05:15
Did you try using @CrossOrigin(origins="http://localhost:8081") on your controller class and repository class?您是否尝试在 controller class 和存储库 class 上使用 @CrossOrigin(origins="http://localhost:8081") ?
Also in conjuction to it: Try to add WebConfigurer Bean in you main SpringBoot Application class and annonate that too with @CrossOrigin(origins="http://localhost:8081")同样与之相关:尝试在主 SpringBoot 应用程序 class 中添加 WebConfigurer Bean 并使用 @CrossOrigin(origins="http://localhost:8081") 进行注释
@Bean
public WebMvcConfigurer corsConfigurer() {
return new WebMvcConfigurer() {
@Override
public void addCorsMappings(CorsRegistry registry) {
System.out.println("here");
registry.addMapping("/**").allowedOrigins("http://localhost:8081").allowedMethods("PUT", "DELETE" )
.allowedHeaders("header1", "header2", "header3")
.exposedHeaders("header1", "header2")
.allowCredentials(false).maxAge(3600);;
}
};
}
Please visit this link too for enabling CORS in your application server side.请访问此链接以在您的应用程序服务器端启用 CORS。
解决方案2
0 已采纳 2020-06-29 16:35:27
You may use CorsConfiguration to set the allowed headers.您可以使用CorsConfiguration设置允许的标头。
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().configurationSource(corsConfigurationSource());
}
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
List<String> allowOrigins = Arrays.asList("*");
configuration.setAllowedOrigins(allowOrigins);
configuration.setAllowedMethods(Collections.singletonList("*"));
configuration.setAllowedHeaders(Collections.singletonList("*"));
configuration.setAllowCredentials(true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.