對Spring的Angular登錄請求以安全性為基礎

Question

我是Spring安全的新手。 我對Spring rest安全性感到困惑，但找不到任何完整的解決方案。 我有以下場景：

1）我創建了角度js服務，它對spring rest進行$ http調用。

2）我希望spring security攔截這個url（/ login）並相應地給我回復。

我嘗試了如果我直接訪問網址http：// localhost：8123 / SpringMVC / login然后它工作正常，它要求用戶名和密碼，輸入正確的用戶后，密碼我得到了結果但是我做的一樣來自AngularJs; 它給了我以下錯誤

angular.js:10514 OPTIONS http://localhost:8123/SpringMVC/rest/login/ (anonymous function) @ angular.js:10514sendReq @ angular.js:10333serverRequest @ angular.js:10045processQueue @ angular.js:14567(anonymous function) @ angular.js:14583$eval @ angular.js:15846$digest @ angular.js:15657$apply @ angular.js:15951bootstrapApply @ angular.js:1633invoke @ angular.js:4450doBootstrap @ angular.js:1631bootstrap @ angular.js:1651angularInit @ angular.js:1545(anonymous function) @ angular.js:28359trigger @ angular.js:2996eventHandler @ angular.js:3271
localhost/:1 XMLHttpRequest cannot load http://localhost:8111/SpringMVC/rest/categories/. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8234' is therefore not allowed access. The response had HTTP status code 401.

請建議如何在fronend中正確配置標頭以及后端，角度和休息應用程序都在不同的服務器上運行。

這是在SecurityConfiguration.java中

@Override
    protected void configure(HttpSecurity http) throws Exception {
         http
            .httpBasic()
          .and()
            .authorizeRequests()
              .antMatchers("/index.html", "/home.html", "/login.html", "/").permitAll()
              .anyRequest().authenticated();


    }

這就是我在入口點所做的事情：

@Override
    public void commence(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException authException) throws IOException, ServletException {
    //prevent default behaviour
        if (request.getMethod().equals("OPTIONS")) {
         response.addHeader("Access-Control-Allow-Origin", "*");
            response.addHeader("Access-Control-Allow-Methods", "POST,PUT, GET, OPTIONS, DELETE");
            response.addHeader("Access-Control-Max-Age", "3600");
            response.addHeader("Access-Control-Allow-Headers",
                    " Origin, X-Requested-With, Content-Type, Accept,AUTH-TOKEN");

        }
        else
        {
            System.out.println("hello from server");
            response.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());
        }
    }

Answer 1

嘗試添加 -

response.setHeader("Access-Control-Request-Headers", "X-Requested-With, Content-Type, Accept");

還要更新

response.addHeader("Access-Control-Allow-Headers",
                    " Origin, X-Requested-With, Content-Type, Accept,AUTH-TOKEN");

至

response.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept,AUTH-TOKEN, Authorization");`