[英]angular 2 with spring-boot security rest api
我正在开发一个Web应用程序,该应用程序具有用Angular2(打字稿)编写的前端,该前端是从angular cli和Spring Boot 1.5.2 RELEASE生成的。 因为我想分离工作,所以我将REST部署在Tomcat(localhost:8084,带有contextpath app-api
)上,并将前端部署在angular cli(localhost:4200)上。
登录并调用其他api时出现我的问题,但结果是401。登录成功后,JSessionId不保留并发送第二个请求的标头。
这是我的bean配置:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<global-method-security />
<beans:bean id="failureHandler" class="my.app.auth.RESTAuthenticationFailureHandler"></beans:bean>
<beans:bean id="successHandler" class="my.app.auth.RESTAuthenticationSuccessHandler"></beans:bean>
<beans:bean id="loginUrlAuthenticationEntryPoint" class="my.app.auth.RESTAuthenticationEntryPoint"></beans:bean>
<beans:bean id="loginPathRequestMatcher" class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<beans:constructor-arg type="java.lang.String" value="/login" />
</beans:bean>
<beans:bean id="customUsernamePasswordAuthenticationFilter"
class="my.app.auth.AuthenticationFilter">
<beans:constructor-arg ref="loginPathRequestMatcher"/>
<beans:constructor-arg ref="environment"/>
<beans:constructor-arg ref="httpClient"/>
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="sessionAuthenticationStrategy" ref="session-management" />
<beans:property name="authenticationFailureHandler" ref="failureHandler" />
<beans:property name="authenticationSuccessHandler" ref="successHandler" />
</beans:bean>
<http auto-config="false" use-expressions="true"
disable-url-rewriting="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
<csrf disabled="true" />
<custom-filter position="FORM_LOGIN_FILTER"
ref="customUsernamePasswordAuthenticationFilter" />
<custom-filter after="FORM_LOGIN_FILTER" ref="concurrencyFilter" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/api/**" access="hasAnyRole('ROLE_USER')" />
<logout logout-success-url="/login" />
<headers>
<frame-options policy="SAMEORIGIN" />
<hsts include-subdomains="true" disabled="false" />
<header name="Access-Control-Allow-Origin" value="*"/>
<header name="Access-Control-Allow-Methods" value="POST, GET, OPTIONS, DELETE"/>
<header name="Access-Control-Max-Age" value="3600"/>
<header name="Access-Control-Allow-Headers" value="x-requested-with, authorization, Content-Type, *"/>
</headers>
<session-management
session-authentication-strategy-ref="session-management" />
</http>
<beans:bean id="concurrencyFilter"
class="my.app.auth.ConcurrentSessionFilter">
<beans:constructor-arg ref="sessionRegistry" />
<beans:constructor-arg name="expiredUrl" value="/" />
</beans:bean>
<beans:bean id="sessionRegistry" class="my.app.auth.SessionRegistry" />
<beans:bean id="session-management"
class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
<beans:constructor-arg>
<beans:list>
<beans:bean
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
<beans:constructor-arg ref="sessionRegistry" />
</beans:bean>
<beans:bean
class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy" />
<beans:bean
class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
<beans:constructor-arg ref="sessionRegistry" />
</beans:bean>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="customAuthenticationProvider" />
</authentication-manager>
<beans:bean id="customAuthenticationProvider" class="my.app.auth.UserAuthProvider" />
<beans:bean id="authenticationService" class="my.app.auth.AuthenticationService" />
</beans:beans>
我引用了angular2-spring-boot-security主题,但是我无法解决我的问题,或者也许我尚未理解此解决方案。
对我的问题有什么建议吗? 或与我讨论? 谢谢。
谢谢大家 我通过完全声明Access-Control-Allow-Origin
解决了我的问题。 并在配置弹簧中使用withCredentials
,在角度2中使用http
:
<header name="Access-Control-Allow-Origin" value="http://localhost:4200"/>
<header name="withCredentials" value="true"/>
<header name="Access-Control-Allow-Methods" value="GET, POST, OPTIONS, PUT, PATCH, DELETE"/>
<header name="Access-Control-Max-Age" value="3600"/>
<header name="Access-Control-Allow-Headers" value="*"/>
<header name="Access-Control-Allow-Credentials" value="true"/>
并在组件的构造函数中添加http config:
constructor(private http: Http) {
let _build = (<any>http)._backend._browserXHR.build;
(<any>http)._backend._browserXHR.build = () => {
let _xhr = _build();
_xhr.withCredentials = true;
return _xhr;
};
}
使用Get方法请求可以正常工作。 但是现在我对Post方法请求有很大的疑问。 当我将Content-Type添加到标头中时,请求不从cookie导入JSESSIONID,但是如果我不添加Content-Type,我将收到有关服务器错误媒体类型的错误代码415。
我尝试了角度2的Http
和XMLHttpRequest
。 怎么了
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.