[英]CORS doesn't work on Spring 4.3 with OAuth2
這是我使用Angular 1.5應用發出請求時在Chrome控制台中獲得的信息:
XMLHttpRequest無法加載http:// localhost:8080 / api / oauth / token 。 對預檢請求的響應未通過訪問控制檢查:請求的資源上不存在“ Access-Control-Allow-Origin”標頭。 因此,不允許訪問源' http:// localhost:8000 '。 響應的HTTP狀態碼為401。
當我刪除OAuth2配置時,錯誤消失了。
這是我的CORS配置:
class AppWebSpringConfig extends WebMvcConfigurerAdapter implements ServletContextAware {
...
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("*")
.allowedMethods("GET", "POST", "PUT", "DELETE")
.allowedHeaders("X-Requested-With", "X-Auth-Token", "Origin", "Content-Type", "Accept")
.allowCredentials(false)
.maxAge(3600);
}
...
}
和我的OAuth2配置類:
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
return new OAuth2MethodSecurityExpressionHandler();
}
}
@Configuration
class OAuth2ServerConfiguration {
private static final int ONE_HOUR = 3600;
private static final int THIRTY_DAYS = 2592000;
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests()
.anyRequest().authenticated();
// @formatter:on
}
}
@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Autowired
private UserSecurityService userSecurityService;
@Autowired
private DataSource dataSource;
@Autowired
private Environment env;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
// @formatter:off
endpoints
.tokenStore(tokenStore())
.authenticationManager(authenticationManager)
.userDetailsService(userSecurityService);
// @formatter:on
}
@Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// @formatter:off
clients
.jdbc(dataSource)
.withClient(env.getProperty(CLIENT_ID_WEB))
.secret(env.getProperty(CLIENT_SECRET_WEB))
.authorizedGrantTypes("password", "refresh_token")
.scopes("read", "write")
.accessTokenValiditySeconds(ONE_HOUR)
.refreshTokenValiditySeconds(THIRTY_DAYS);
// @formatter:on
}
@Bean
@Primary
public DefaultTokenServices tokenServices() {
final DefaultTokenServices tokenServices = new DefaultTokenServices();
tokenServices.setSupportRefreshToken(true);
tokenServices.setTokenStore(tokenStore());
return tokenServices;
}
}
}
編輯:我還嘗試了以下過濾器的實現,但不起作用。 我在doFilter()方法中放置了一個斷點,但是執行並沒有就此停止,就像我的過濾器未注冊一樣。 但是,當我向過濾器添加默認構造函數並在其中放置一個斷點時,它就停止了,這意味着過濾器已注冊。
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCorsFilter implements Filter {
public SimpleCorsFilter() {
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
HttpServletRequest request = (HttpServletRequest) req;
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "x-requested-with, authorization");
if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
response.setStatus(HttpServletResponse.SC_OK);
} else {
chain.doFilter(req, res);
}
}
@Override
public void init(FilterConfig filterConfig) {
}
@Override
public void destroy() {
}
}
我也嘗試過這種方法,但是再也沒有運氣了: 允許將OPTIONS HTTP方法用於oauth / token請求
我認為OAuth2配置不允許甚至請求通過已配置的CORS過濾器。 有人知道解決這個問題的方法嗎?
EDIT2:因此,結果發現有一類:
public class AppSecurityInitializer extends AbstractSecurityWebApplicationInitializer {
// nothing here, using defaults
}
一旦我發表評論,CORS配置就開始起作用(可能是由於過濾器通過),但是現在我的OAuth2配置根本不起作用! 每個URL都是公開的,沒有安全性。 有什么想法嗎?
Hiii我在Spring 4.3中遇到了同樣的問題,但是在這里解決了:-
您需要在AuthorizationServerConfiguration類中重寫AuthorizationServerConfigurerAdapter的以下方法,並使用AuthorizationServerSecurityConfigurer的addTokenEndpointAuthenticationFilter方法在其中添加CORS過濾器,如下所示:
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.addTokenEndpointAuthenticationFilter(new CORSFilter());
}
您的AuthorizationServerConfiguration類將是:
@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Autowired
private UserSecurityService userSecurityService;
@Autowired
private DataSource dataSource;
@Autowired
private Environment env;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
// @formatter:off
endpoints
.tokenStore(tokenStore())
.authenticationManager(authenticationManager)
.userDetailsService(userSecurityService);
// @formatter:on
}
@Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// @formatter:off
clients
.jdbc(dataSource)
.withClient(env.getProperty(CLIENT_ID_WEB))
.secret(env.getProperty(CLIENT_SECRET_WEB))
.authorizedGrantTypes("password", "refresh_token")
.scopes("read", "write")
.accessTokenValiditySeconds(ONE_HOUR)
.refreshTokenValiditySeconds(THIRTY_DAYS);
// @formatter:on
}
@Bean
@Primary
public DefaultTokenServices tokenServices() {
final DefaultTokenServices tokenServices = new DefaultTokenServices();
tokenServices.setSupportRefreshToken(true);
tokenServices.setTokenStore(tokenStore());
return tokenServices;
}
// ***** Here I added CORS filter *****
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.addTokenEndpointAuthenticationFilter(new CORSFilter());
}
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.