[英]Spring Security OAuth2 CORS issue for Authorization header
我使用<spring.version>4.2.0.RELEASE</spring.version>
、 <spring.security.version>4.0.2.RELEASE</spring.security.version>
和<spring.security.oauth2.version>2.0.9.RELEASE</spring.security.oauth2.version>
。
我使用@CrossOrigin
来处理 CORS。 现在,我想允许所有标题和所有方法。 我可以使用除 Authorization 之外的任何其他标头而没有任何 CORS 问题。 但是使用授权(发送承载令牌的标头),我遇到了 CORS 问题。 我在 Class 级别使用@CrossOrigin
annotatiion 并允许所有标题如下 -
@CrossOrigin(allowedHeaders = {"*"})
请求的资源上不存在“Access-Control-Allow-Origin”标头
如何允许 Authorization 标头以及我所做的所有其他标头并避免 CORS 问题?
您可以将以下内容添加到任何配置文件中:
@Bean
public CorsFilter corsFilter() {
final UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
final CorsConfiguration corsConfiguration = new CorsConfiguration();
corsConfiguration.setAllowCredentials(true);
corsConfiguration.addAllowedOrigin("*");
corsConfiguration.addAllowedHeader("*");
corsConfiguration.addAllowedMethod("*");
urlBasedCorsConfigurationSource.registerCorsConfiguration("/**", corsConfiguration);
return new CorsFilter(urlBasedCorsConfigurationSource);
}
编辑对于 XML 配置,您可以创建自定义过滤器并将其添加到您的过滤器链:
public class CorsFilter implements Filter {
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "*");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "*");
chain.doFilter(req, res);
}
public void init(FilterConfig filterConfig) {}
public void destroy() {}
}
XML 配置
<security:filter-chain-map>
<sec:filter-chain pattern="/**"
filters="
ConcurrentSessionFilterAdmin,
securityContextPersistenceFilter,
logoutFilterAdmin,
usernamePasswordAuthenticationFilterAdmin,
basicAuthenticationFilterAdmin,
requestCacheAwareFilter,
securityContextHolderAwareRequestFilter,
anonymousAuthenticationFilter,
sessionManagementFilterAdmin,
exceptionTranslationFilter,
filterSecurityInterceptorAdmin,
CorsFilter"/>
</security:filter-chain-map>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.