[英]Spring Boot JWT CORS with Angular 6
我在 Spring Boot 应用程序中使用 JWT。 当我尝试从 Angular 6 客户端登录时,出现 CORS 错误
Access to XMLHttpRequest at 'http://localhost:8082/login' from origin 'http://localhost:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
我尝试为"Access-Control-Allow-Origin
添加标头,我什至尝试使用一些 chrome 扩展,但仍然无法绕过 CORS。我可以使用 Postman 访问登录 API 并获取令牌。
Spring Boot 类
WebSecurityConfig.java
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private UserDetailsService userDetailsService;
private BCryptPasswordEncoder bCryptPasswordEncoder;
public WebSecurityConfig(@Qualifier("customUserDetailsService") UserDetailsService userDetailsService, BCryptPasswordEncoder bCryptPasswordEncoder) {
this.userDetailsService = userDetailsService;
this.bCryptPasswordEncoder = bCryptPasswordEncoder;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.antMatchers(HttpMethod.POST, SIGN_UP_URL).permitAll()
.anyRequest().authenticated()
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager()))
.addFilter(new JWTAuthorizationFilter(authenticationManager()));
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
}
WebConfig.java
@Configuration
public class WebConfig implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry corsRegistry) {
corsRegistry.addMapping( "/**" )
.allowedOrigins( "http://localhost:4200" )
.allowedMethods( "GET", "POST", "DELETE" )
.allowedHeaders( "*" )
.allowCredentials( true )
.exposedHeaders( "Authorization" )
.maxAge( 3600 );
}
}
JWTAuthorization.java
授予用户访问权限的类
@Order(Ordered.HIGHEST_PRECEDENCE)
public class JWTAuthorizationFilter extends BasicAuthenticationFilter {
public JWTAuthorizationFilter(AuthenticationManager authenticationManager) {
super(authenticationManager);
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
String header = request.getHeader(HEADER_STRING);
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Headers", "Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization");
if (header == null || !header.startsWith(TOKEN_PREFIX)) {
chain.doFilter(request, response);
return;
}
UsernamePasswordAuthenticationToken authenticationToken = getAuthenticationToken(request);
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
chain.doFilter(request, response);
}
private UsernamePasswordAuthenticationToken getAuthenticationToken(HttpServletRequest request){
String token = request.getHeader(HEADER_STRING);
if (token != null) {
// parse the token.
String user = Jwts.parser()
.setSigningKey(SECRET)
.parseClaimsJws(token.replace(TOKEN_PREFIX, ""))
.getBody()
.getSubject();
System.out.println(user);
if (user != null) {
return new UsernamePasswordAuthenticationToken(user, null, new ArrayList<>());
}
return null;
}
return null;
}
}
JWTAuthenticationFilter.java
处理登录请求并返回令牌的类
public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
private AuthenticationManager authenticationManager;
public JWTAuthenticationFilter(AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
try {
User user = new ObjectMapper().readValue(request.getInputStream(),User.class);
return authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(
user.getUsername(),
user.getPassword())
);
} catch (IOException e) {
throw new RuntimeException(e);
}
}
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
String username = ((org.springframework.security.core.userdetails.User) authResult.getPrincipal()).getUsername();
String token = Jwts
.builder()
.setSubject(username)
.setExpiration(new Date(System.currentTimeMillis() + EXPIRATION_TIME))
.signWith(SignatureAlgorithm.HS512, SECRET)
.compact();
System.out.println("TOKEN: " + token);
String bearerToken = TOKEN_PREFIX + token;
response.getWriter().write(bearerToken);
response.addHeader(HEADER_STRING, bearerToken);
}
}
有效的邮递员示例
这是我如何发出登录请求,这给了我错误
@Injectable({
providedIn: 'root'
})
export class AuthenticationService {
public apiURL:string="http://localhost:8082";
constructor(private httpClient:HttpClient) { }
validateUser(user:User){
let userData = "username=love"+ "&password=12345" + "&grant_type=password";
let reqHeader = new HttpHeaders({ 'Content-Type': 'application/json' });
const data = new FormData();
data.append("username", user.username);
data.append("password", user.password);
console.log(data);
return this.httpClient.post<User>(this.apiURL + '/login',data,{headers:reqHeader});
}
storeToken(token: string) {
localStorage.setItem("token", token);
}
getToken() {
return localStorage.getItem("token");
}
removeToken() {
return localStorage.removeItem("token");
}
}
还有 Angular 的User
界面
export interface User {
username:string;
password:string;
}
由于消息是关于您的预检请求,即OPTIONS
请求,
我想,您需要在服务器端/ Spring Boot 代码上做两件事,
attemptAuthentication
身份验证方法中添加下面作为第一次检查,即不要对预检请求进行真正的身份验证, if (CorsUtils.isPreFlightRequest(httpServletRequest)) { httpServletResponse.setStatus(HttpServletResponse.SC_OK); return new Authentication() ; //whatever your token implementation class is - return an instance of it
}
CorsUtils 是 - org.springframework.web.cors.CorsUtils
.authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
您也可以允许未经授权的 OPTIONS 请求,但我想这不是一个好主意。 此外,如果可能,尝试将“/**”缩小到特定的 URL。
我有同样的问题,最后我只添加了httpRequest.cors();
在 WebSecurityConfig 类中的 configure 方法结束时,它运行良好,原因的解释是:
明确地,预检请求不会从 Spring Security 配置中的授权中排除。 请记住,默认情况下 Spring Security 会保护所有端点。
因此,API 也需要 OPTIONS 请求中的授权令牌。
Spring 提供了一个开箱即用的解决方案来从授权检查中排除 OPTIONS 请求:
cors()
方法会将 Spring 提供的 CorsFilter 添加到应用程序上下文中,从而绕过对 OPTIONS 请求的授权检查。
有关所有详细信息https://www.baeldung.com/spring-security-cors-preflight
1)创建一个bean返回CorsFilter
我在扩展WebSecurityConfigurerAdapter
SecurityConfig
类中WebSecurityConfigurerAdapter
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final JwtTokenProvider jwtTokenProvider;
@Autowired
public SecurityConfig(JwtTokenProvider jwtTokenProvider) {
this.jwtTokenProvider = jwtTokenProvider;
}
@Override
public void configure(HttpSecurity http) throws Exception {
//....
http.cors();
}
@Bean
public CorsFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.addAllowedMethod("OPTIONS");
config.addAllowedMethod("GET");
config.addAllowedMethod("POST");
config.addAllowedMethod("PUT");
config.addAllowedMethod("DELETE");
source.registerCorsConfiguration("/**", config);
return new CorsFilter(source);
}
}
2) 将此CorsFilter
提供给扩展SecurityConfigurerAdapter
的类
public class JwtConfigurer extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
private final JwtTokenProvider jwtTokenProvider;
public JwtConfigurer(JwtTokenProvider jwtTokenProvider) {
this.jwtTokenProvider = jwtTokenProvider;
}
@Override
public void configure(HttpSecurity httpSecurity) throws Exception {
JwtTokenFilter jwtTokenFilter = new JwtTokenFilter(jwtTokenProvider);
httpSecurity.addFilterBefore(
new SecurityConfig(jwtTokenProvider).corsFilter(),
UsernamePasswordAuthenticationFilter.class);
httpSecurity.addFilterBefore(
jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);
}
}
3) 添加方法configure(HttpSecurity http) { /* ... */ http.cors(); }
configure(HttpSecurity http) { /* ... */ http.cors(); }
在SecurityConfig
类
显示在上面的第一个代码片段中。
我有一个类似的错误,问题是包的名称......尝试在这个模型中重命名你的包:groupId.artifactId.security.jwt
我也遇到了同样的问题。当我从邮递员那里尝试时,它工作正常,但从 React 应用程序发出的相同呼叫我遇到了问题。
通常我们在使用 spring 安全性时在配置中禁用 cors。 但在这里你应该允许它。 检查下面的代码片段。
刚刚添加了http.cors(); 在下面的代码中
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private JwtFilter jwtFilter;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(getPasswordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests().antMatchers("/secure/authenticate")
.permitAll().anyRequest().authenticated()
.and().exceptionHandling().and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class);;
http.cors();
}
@Bean(name = BeanIds.AUTHENTICATION_MANAGER)
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder getPasswordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.