[英]Spring Security Logout doesn't work with Spring 4 CORS
最近我在Spring 4中嘗試了新的內置CORS-Support 。 這個功能很棒,我想在Spring Boot / AngularJS應用程序中實現它。
所有請求都正常但我無法注銷我的用戶,因為
OPTIONS-Request to/logout由Spring Security處理。
是否可以在Spring Security之前處理OPTIONS -Request,還是應該在LogoutSuccessHandler附加CORS-Headers ?
使用Spring Security時,建議使用CorsFilter 。 您需要確保在Spring Security的FilterChainProxy之前訂購CorsFilter 。
有關使用CorsFilter詳細信息,請參閱Spring Data Rest和Cors 。 對於此問題,您可能希望僅注冊注銷URL。 例如:
@Bean
public CorsFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true); // you USUALLY want this
// likely you should limit this to specific origins
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.addAllowedMethod("GET");
config.addAllowedMethod("POST");
config.addAllowedMethod("PUT");
source.registerCorsConfiguration("/logout", config);
return new CorsFilter(source);
}
我知道這有點晚了。 由於在/ logout響應中沒有返回CORS頭Access-Control-Allow-Origin,因此我的Angular2瀏覽器應用程序拒絕/ logout遇到了同樣的問題。 / logout似乎在到達CORS過濾器之前處理,因此沒有得到標題。 我嘗試了上面的解決方案,但它對我不起作用。 所以,我嘗試了下一個解決方案,效果很好:
結果我不需要LogoutSuccessHandler類,只需要LogoutHandler。 LogoutSuccessHandler(未顯示)只是一個空實現,其中包含日志記錄語句。 LogoutHandler如下。 這是用Groovy編碼的Spring-boot REST應用程序的片段(非常類似於java)
@Slf4j
class TodosLogoutHandler implements LogoutHandler {
/**
* For some reason the spring-session logout gets processed before the request
* reaches the CORS filter so the response doesn't get the allow-origin header
* which then causes the browser to reject the logout response. I tried a bunch
* of other methods of trying to include /logout to the CORS filter but they
* didn't work so figured a logout handler would be a place I could manually
* set the header to persuade the browser to accept the response - it worked!!
* @param request
* @param response
* @param authentication
*/
@Override
void logout(
HttpServletRequest request,
HttpServletResponse response,
Authentication authentication) {
response.setHeader("Access-Control-Allow-Origin", "*")
log.info("TodosLogoutHandler logging you out of the back-end app.")
}
}
然后在安全配置類中將它連接在一起,擴展WebSecurityConfigurerAdapter,如下所示。 顯示注銷部分的最后一部分是標准configure()方法的相關部分。
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll() // Allow any CORS OPTIONS calls
.antMatchers(HttpMethod.GET, "/priority", "/status").permitAll() // Allow all ref data
.anyRequest().authenticated()
.and()
.csrf().disable()
.httpBasic().realmName("Spring REST Todos")
.and()
// Custom logout handler only exists to handle a CORS problem with /logout
// where spring-session processes the logout request/response before it gets
// to the CORS filter so it doesn't get the allow-origin header which then
// causes the browser to reject the /logout response. Manually set the
// allow-origin header in the logout handler and Bob's your uncle.
.logout()
.logoutUrl("/logout")
.logoutSuccessHandler(new TodosLogoutSuccessHandler())
.addLogoutHandler(new TodosLogoutHandler())
.invalidateHttpSession(true)
}
注銷不適用於 Spring Boot、Spring Security 和 Thymleaf
[英]Logout doesn't work with Spring Boot, Spring Security and Thymleaf
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.