[英]AngularJS SpringSecurity CORS issue
我正在設置一個Angular + Spring Security模塊來登錄和注冊用戶。 當我注冊用戶時,一切正常。 注冊后的最后一步是自動登錄,但出現此錯誤:
XMLHttpRequest無法加載http // localhost:8080 / com-tesis / login。 所請求的資源上沒有“ Access-Control-Allow-Origin”標頭。 因此,不允許訪問源“ http // localhost:9000”。 響應的HTTP狀態碼為401。
angularJs輔助服務:
.factory("sessionAccountService", function($http){
var session = {};
session.login = function(data){
return $http.post("http://localhost:8080/com-tesis/login",
"username="+data.name+"&password="+data.password,
{headers: {"Access-Control-Allow-Headers":"Content-Type"}}
).then(function(data){
alert("loggin correcto");
localStorage.setItem("session",{});
}, function(data){
alert("error login in");
});
};
session.logout = function(){
localStorage.removeItem("session");
};
session.isLoggedIn = function(){
return localStorage.getItem("session") !== null;
}
return session;
})
.factory("accountService", function($resource){
var service = {};
service.register = function(account, success, failure){
var Account = $resource("http://localhost:8080/com-tesis/rest/accounts");
Account.save({},account,success,failure);
};
service.userExists = function(account, success, failure){
var Account = $resource("http://localhost:8080/com-tesis/rest/accounts");
var data = Account.get({name:account.name}, function(){
var accounts = data.accounts;
if (accounts.length !== 0){
success(accounts[0]);
} else {
failure();
}
},
failure);
}
return service;
});
這是在后端實現的CORS過濾器:
package tesis.core.security;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;
@Component
public class SimpleCORSFilter implements Filter {
private final Logger log = LoggerFactory.getLogger(SimpleCORSFilter.class);
public SimpleCORSFilter() {
log.info("SimpleCORSFilter init");
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Origin", request.getHeader("Origin"));
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE, HEAD");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "Access-Control-Allow-Headers, Origin,Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers");
if (request.getMethod().equals("OPTIONS")) {
response.setStatus(HttpServletResponse.SC_OK);
} else {
chain.doFilter(req, res);
}
}
@Override
public void init(FilterConfig filterConfig) {
}
@Override
public void destroy() {
}
}
這是對web.xml的過濾
<filter>
<filter-name>simpleCORSFilter</filter-name>
<filter-class>
tesis.core.security.SimpleCORSFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>simpleCORSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
我很困惑,這是Chrome廣告聯盟的要求: req / res
我不知道我在做什么錯。 謝謝!
編輯:當我從相同的URL http // localhost:8080 /發送請求時,效果很好。 從http // localhost:9000春季總是返回SC_UNAUTHORIZED
這是SecurityConfig
package tesis.core.security;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
private AuthFailure authFailure;
@Autowired
private AuthSuccess authSuccess;
@Autowired
private EntryPointUnauthorizedHandler unauthorizedHandler;
@Autowired
private UserDetailServiceImpl userDetailService;
@Autowired
public void configAuthBuilder(AuthenticationManagerBuilder builder) throws Exception{
builder.userDetailsService(userDetailService);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.exceptionHandling()
.authenticationEntryPoint(unauthorizedHandler)
.and()
.formLogin()
.successHandler(authSuccess)
.failureHandler(authFailure)
.and()
.authorizeRequests()
.antMatchers("/**")
.permitAll();
}
}
AuthSuccess和AuthFailure類
package tesis.core.security;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
import org.springframework.stereotype.Component;
@Component
public class AuthSuccess extends SimpleUrlAuthenticationSuccessHandler{
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
response.setStatus(HttpServletResponse.SC_OK);
}
}
package tesis.core.security;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.stereotype.Component;
@Component
public class AuthFailure extends SimpleUrlAuthenticationFailureHandler{
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
AuthenticationException exception) throws IOException, ServletException {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
}
}
終於我找到了解決方案。 首先,為解決401錯誤,我將請求重寫為: 401解決方案
之后,出現一個新錯誤:
在請求的資源上不存在“ Access-Control-Allow-Origin”標頭,因此不允許原點訪問。
然后,在閱讀Spring doc時,我意識到我必須專門說出要使用哪個標題。 這里的線索: Spring Doc:header-static
因此,這是已修復的SecurityConfig文件:
package tesis.core.security;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.header.writers.StaticHeadersWriter;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
private AuthFailure authFailure;
@Autowired
private AuthSuccess authSuccess;
@Autowired
private EntryPointUnauthorizedHandler unauthorizedHandler;
@Autowired
private UserDetailServiceImpl userDetailService;
@Autowired
public void configAuthBuilder(AuthenticationManagerBuilder builder) throws Exception{
builder.userDetailsService(userDetailService);
}
@Bean
public AuthenticationFailureHandler authenticationFailureHandler() {
return new SimpleUrlAuthenticationFailureHandler();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.headers().addHeaderWriter(new StaticHeadersWriter("Access-Control-Allow-Origin","*"))
.and()
.exceptionHandling()
.authenticationEntryPoint(unauthorizedHandler)
.and()
.formLogin()
.successHandler(authSuccess)
.failureHandler(authFailure)
.and()
.authorizeRequests()
.antMatchers("/**")
.permitAll();
}
}
謝謝大家。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.