[英]CORS error in Spring Oauth2
我正在使用Spring安全性和Oauth2。 但是我是Spring Oauth2的新手,前端參與訪問資源時出現CORS錯誤。
我正在使用以下過濾器,以允許其他域訪問資源:
@Component
@Order(Integer.MAX_VALUE)
public class SimpleCORSFilter implements Filter {
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Credentials", "True");
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization");
chain.doFilter(req, res);
}
public void init(FilterConfig filterConfig) {}
public void destroy() {}
}
我編寫了以下代碼,以允許在SecurityConfiguration.java中使用公共資源。
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().antMatchers("/social/facebook/**","/register/**","/public/**").permitAll().and()
.authorizeRequests().antMatchers("/user/**").hasRole("USER").and()
.exceptionHandling()
.accessDeniedPage("/login.jsp?authorization_error=true")
.and()
.csrf()
.requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize")).disable();
}
對於Oauth2,以下代碼用於保護我的OAuth2ServerConfig.java中的用戶資源。
@Override
public void configure(HttpSecurity http) throws Exception {
http
.requestMatchers().antMatchers("/user/**")
.and()
.authorizeRequests()
.antMatchers("/user/**").access("#oauth2.hasScope('read')")
.regexMatchers(HttpMethod.DELETE, "/oauth/users/([^/].*?)/tokens/.*")
.access("#oauth2.clientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or #oauth2.isClient()) and #oauth2.hasScope('write')")
.regexMatchers(HttpMethod.GET, "/oauth/clients/([^/].*?)/users/.*")
.access("#oauth2.clientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or #oauth2.isClient()) and #oauth2.hasScope('read')")
.regexMatchers(HttpMethod.GET, "/oauth/clients/.*")
.access("#oauth2.clientHasRole('ROLE_CLIENT') and #oauth2.isClient() and #oauth2.hasScope('read')");
}
當我在瀏覽器中打開index.html文件時,如下所示:(很抱歉,我沒有至少10個聲譽來發布圖像,因此我在此處粘貼了鏈接)
http://i.stack.imgur.com/yQKJM.png
它成功獲取了公共數據,這意味着允許其他域訪問“ / public / **”數據。
但是它無法獲取“ / user / **”數據(受Oauth2保護)。 它給我下面的錯誤說:“跨源請求被阻止”。
http://i.stack.imgur.com/XIVx1.png
當我將前端文件移動到Spring服務器的相同域時。 可以同時獲取“公開”和“用戶”數據,如下所示:
http://i.stack.imgur.com/Q2n7F.png
前端和后端應分開。 但是CORS被阻止訪問投影數據。 誰能給我一些建議? 非常感謝。 我猜想過濾器在Oauth2上不起作用? 仍然花費大量時間尋找解決方案。
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCORSFilter implements Filter {
@Override
public void init(FilterConfig fc) throws ServletException {
}
@Override
public void doFilter(ServletRequest req, ServletResponse resp,
FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) resp;
HttpServletRequest request = (HttpServletRequest) req;
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "PATCH,POST,GET,OPTIONS,DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "x-requested-with, authorization, Content-Type, Authorization, credential, X-XSRF-TOKEN");
if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
response.setStatus(HttpServletResponse.SC_OK);
} else {
chain.doFilter(req, resp);
}
}
@Override
public void destroy() {
}
}
我將標頭添加到端點
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints.addInterceptor(new HandlerInterceptorAdapter() {
@Override
public boolean preHandle(HttpServletRequest hsr, HttpServletResponse rs, Object o) throws Exception {
rs.setHeader("Access-Control-Allow-Origin", "*");
rs.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS");
rs.setHeader("Access-Control-Max-Age", "3600");
rs.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization");
return true;
}
});
}
首先調用OAuth過濾器,並引發Exception(已阻止該異常運行您的CORS過濾器)。
您必須添加此注釋
@Order(Ordered.HIGHEST_PRECEDENCE)
到您的CORS過濾器。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.