在OAuth2的Spring 4.3上，CORS不起作用

Question

這是我使用Angular 1.5應用發出請求時在Chrome控制台中獲得的信息：

XMLHttpRequest無法加載http：// localhost：8080 / api / oauth / token 。 對預檢請求的響應未通過訪問控制檢查：請求的資源上不存在“ Access-Control-Allow-Origin”標頭。 因此，不允許訪問源' http：// localhost：8000 '。 響應的HTTP狀態碼為401。

當我刪除OAuth2配置時，錯誤消失了。

這是我的CORS配置：

class AppWebSpringConfig extends WebMvcConfigurerAdapter implements ServletContextAware {

...

    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
                .allowedOrigins("*")
                .allowedMethods("GET", "POST", "PUT", "DELETE")
                .allowedHeaders("X-Requested-With", "X-Auth-Token", "Origin", "Content-Type", "Accept")
                .allowCredentials(false)
                .maxAge(3600);
    }

...
}

和我的OAuth2配置類：

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {

    @Override
    protected MethodSecurityExpressionHandler createExpressionHandler() {
        return new OAuth2MethodSecurityExpressionHandler();
    }

}

@Configuration
class OAuth2ServerConfiguration {

    private static final int ONE_HOUR = 3600;
    private static final int THIRTY_DAYS = 2592000;

    @Configuration
    @EnableResourceServer
    protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

        @Override
        public void configure(HttpSecurity http) throws Exception {
            // @formatter:off
            http
                    .authorizeRequests()
                    .anyRequest().authenticated();
            // @formatter:on
        }

    }

    @Configuration
    @EnableAuthorizationServer
    protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

        @Autowired
        @Qualifier("authenticationManagerBean")
        private AuthenticationManager authenticationManager;

        @Autowired
        private UserSecurityService userSecurityService;

        @Autowired
        private DataSource dataSource;

        @Autowired
        private Environment env;

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
            // @formatter:off
            endpoints
                    .tokenStore(tokenStore())
                    .authenticationManager(authenticationManager)
                    .userDetailsService(userSecurityService);
            // @formatter:on
        }

        @Bean
        public TokenStore tokenStore() {
            return new JdbcTokenStore(dataSource);
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            // @formatter:off
            clients
                    .jdbc(dataSource)
                    .withClient(env.getProperty(CLIENT_ID_WEB))
                    .secret(env.getProperty(CLIENT_SECRET_WEB))
                    .authorizedGrantTypes("password", "refresh_token")
                    .scopes("read", "write")
                    .accessTokenValiditySeconds(ONE_HOUR)
                    .refreshTokenValiditySeconds(THIRTY_DAYS);
            // @formatter:on
        }

        @Bean
        @Primary
        public DefaultTokenServices tokenServices() {
            final DefaultTokenServices tokenServices = new DefaultTokenServices();
            tokenServices.setSupportRefreshToken(true);
            tokenServices.setTokenStore(tokenStore());
            return tokenServices;
        }

    }

}

編輯：我還嘗試了以下過濾器的實現，但不起作用。 我在doFilter（）方法中放置了一個斷點，但是執行並沒有就此停止，就像我的過濾器未注冊一樣。 但是，當我向過濾器添加默認構造函數並在其中放置一個斷點時，它就停止了，這意味着過濾器已注冊。

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCorsFilter implements Filter {

    public SimpleCorsFilter() {
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse response = (HttpServletResponse) res;
        HttpServletRequest request = (HttpServletRequest) req;
        response.setHeader("Access-Control-Allow-Origin", "*");
        response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "x-requested-with, authorization");

        if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
            response.setStatus(HttpServletResponse.SC_OK);
        } else {
            chain.doFilter(req, res);
        }
    }

    @Override
    public void init(FilterConfig filterConfig) {
    }

    @Override
    public void destroy() {
    }
}

我也嘗試過這種方法，但是再也沒有運氣了： 允許將OPTIONS HTTP方法用於oauth / token請求

我認為OAuth2配置不允許甚至請求通過已配置的CORS過濾器。 有人知道解決這個問題的方法嗎？

EDIT2：因此，結果發現有一類：

public class AppSecurityInitializer extends AbstractSecurityWebApplicationInitializer {

    // nothing here, using defaults

}

一旦我發表評論，CORS配置就開始起作用（可能是由於過濾器通過），但是現在我的OAuth2配置根本不起作用！ 每個URL都是公開的，沒有安全性。 有什么想法嗎？

Answer 1

Hiii我在Spring 4.3中遇到了同樣的問題，但是在這里解決了：-

您需要在AuthorizationServerConfiguration類中重寫AuthorizationServerConfigurerAdapter的以下方法，並使用AuthorizationServerSecurityConfigurer的addTokenEndpointAuthenticationFilter方法在其中添加CORS過濾器，如下所示：

 @Override
 public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
       security.addTokenEndpointAuthenticationFilter(new CORSFilter());
 }

您的AuthorizationServerConfiguration類將是：

 @Configuration
    @EnableAuthorizationServer
    protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

        @Autowired
        @Qualifier("authenticationManagerBean")
        private AuthenticationManager authenticationManager;

        @Autowired
        private UserSecurityService userSecurityService;

        @Autowired
        private DataSource dataSource;

        @Autowired
        private Environment env;

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
            // @formatter:off
            endpoints
                    .tokenStore(tokenStore())
                    .authenticationManager(authenticationManager)
                    .userDetailsService(userSecurityService);
            // @formatter:on
        }

        @Bean
        public TokenStore tokenStore() {
            return new JdbcTokenStore(dataSource);
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            // @formatter:off
            clients
                    .jdbc(dataSource)
                    .withClient(env.getProperty(CLIENT_ID_WEB))
                    .secret(env.getProperty(CLIENT_SECRET_WEB))
                    .authorizedGrantTypes("password", "refresh_token")
                    .scopes("read", "write")
                    .accessTokenValiditySeconds(ONE_HOUR)
                    .refreshTokenValiditySeconds(THIRTY_DAYS);
            // @formatter:on
        }

        @Bean
        @Primary
        public DefaultTokenServices tokenServices() {
            final DefaultTokenServices tokenServices = new DefaultTokenServices();
            tokenServices.setSupportRefreshToken(true);
            tokenServices.setTokenStore(tokenStore());
            return tokenServices;
        }

        // ***** Here I added CORS filter *****
        @Override
        public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
              security.addTokenEndpointAuthenticationFilter(new CORSFilter());
        }  
}