[英]angular 2 with spring-boot security rest api
我正在開發一個Web應用程序,該應用程序具有用Angular2(打字稿)編寫的前端,該前端是從angular cli和Spring Boot 1.5.2 RELEASE生成的。 因為我想分離工作,所以我將REST部署在Tomcat(localhost:8084,帶有contextpath app-api
)上,並將前端部署在angular cli(localhost:4200)上。
登錄並調用其他api時出現我的問題,但結果是401。登錄成功后,JSessionId不保留並發送第二個請求的標頭。
這是我的bean配置:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<global-method-security />
<beans:bean id="failureHandler" class="my.app.auth.RESTAuthenticationFailureHandler"></beans:bean>
<beans:bean id="successHandler" class="my.app.auth.RESTAuthenticationSuccessHandler"></beans:bean>
<beans:bean id="loginUrlAuthenticationEntryPoint" class="my.app.auth.RESTAuthenticationEntryPoint"></beans:bean>
<beans:bean id="loginPathRequestMatcher" class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<beans:constructor-arg type="java.lang.String" value="/login" />
</beans:bean>
<beans:bean id="customUsernamePasswordAuthenticationFilter"
class="my.app.auth.AuthenticationFilter">
<beans:constructor-arg ref="loginPathRequestMatcher"/>
<beans:constructor-arg ref="environment"/>
<beans:constructor-arg ref="httpClient"/>
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="sessionAuthenticationStrategy" ref="session-management" />
<beans:property name="authenticationFailureHandler" ref="failureHandler" />
<beans:property name="authenticationSuccessHandler" ref="successHandler" />
</beans:bean>
<http auto-config="false" use-expressions="true"
disable-url-rewriting="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
<csrf disabled="true" />
<custom-filter position="FORM_LOGIN_FILTER"
ref="customUsernamePasswordAuthenticationFilter" />
<custom-filter after="FORM_LOGIN_FILTER" ref="concurrencyFilter" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/api/**" access="hasAnyRole('ROLE_USER')" />
<logout logout-success-url="/login" />
<headers>
<frame-options policy="SAMEORIGIN" />
<hsts include-subdomains="true" disabled="false" />
<header name="Access-Control-Allow-Origin" value="*"/>
<header name="Access-Control-Allow-Methods" value="POST, GET, OPTIONS, DELETE"/>
<header name="Access-Control-Max-Age" value="3600"/>
<header name="Access-Control-Allow-Headers" value="x-requested-with, authorization, Content-Type, *"/>
</headers>
<session-management
session-authentication-strategy-ref="session-management" />
</http>
<beans:bean id="concurrencyFilter"
class="my.app.auth.ConcurrentSessionFilter">
<beans:constructor-arg ref="sessionRegistry" />
<beans:constructor-arg name="expiredUrl" value="/" />
</beans:bean>
<beans:bean id="sessionRegistry" class="my.app.auth.SessionRegistry" />
<beans:bean id="session-management"
class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
<beans:constructor-arg>
<beans:list>
<beans:bean
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
<beans:constructor-arg ref="sessionRegistry" />
</beans:bean>
<beans:bean
class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy" />
<beans:bean
class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
<beans:constructor-arg ref="sessionRegistry" />
</beans:bean>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="customAuthenticationProvider" />
</authentication-manager>
<beans:bean id="customAuthenticationProvider" class="my.app.auth.UserAuthProvider" />
<beans:bean id="authenticationService" class="my.app.auth.AuthenticationService" />
</beans:beans>
我引用了angular2-spring-boot-security主題,但是我無法解決我的問題,或者也許我尚未理解此解決方案。
對我的問題有什么建議嗎? 或與我討論? 謝謝。
謝謝大家 我通過完全聲明Access-Control-Allow-Origin
解決了我的問題。 並在配置彈簧中使用withCredentials
,在角度2中使用http
:
<header name="Access-Control-Allow-Origin" value="http://localhost:4200"/>
<header name="withCredentials" value="true"/>
<header name="Access-Control-Allow-Methods" value="GET, POST, OPTIONS, PUT, PATCH, DELETE"/>
<header name="Access-Control-Max-Age" value="3600"/>
<header name="Access-Control-Allow-Headers" value="*"/>
<header name="Access-Control-Allow-Credentials" value="true"/>
並在組件的構造函數中添加http config:
constructor(private http: Http) {
let _build = (<any>http)._backend._browserXHR.build;
(<any>http)._backend._browserXHR.build = () => {
let _xhr = _build();
_xhr.withCredentials = true;
return _xhr;
};
}
使用Get方法請求可以正常工作。 但是現在我對Post方法請求有很大的疑問。 當我將Content-Type添加到標頭中時,請求不從cookie導入JSESSIONID,但是如果我不添加Content-Type,我將收到有關服務器錯誤媒體類型的錯誤代碼415。
我嘗試了角度2的Http
和XMLHttpRequest
。 怎么了
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.