使用 Stormpath 的 CorsFilter
CorsFilter with Stormpath
我正在尝试使用 Stormpath 和 Spring Boot 构建我的第一个应用程序。我找不到如何将 CORS 过滤器添加到 Stormpath servlet。结果,我的前端应用程序无法获取身份验证令牌,因为缺少 Access-Control-Allow-Origin header。
通过日志,我确信我的 CORS 过滤器是在我控制的方法上调用的,而不是在请求上调用的 /oauth/token。
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCorsFilter implements Filter {
private final Logger log = LoggerFactory.getLogger(SimpleCorsFilter.class);
public SimpleCorsFilter() {
log.info("SimpleCORSFilter init");
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
log.debug("*********Enter Cors Filter***********");
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Origin", request.getHeader("Origin"));
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "Content-Type, Accept, X-Requested-With, remember-me");
chain.doFilter(req, res);
log.debug("******* Exit Cors Filter ****");
}
@Override
public void init(FilterConfig filterConfig) {
}
@Override
public void destroy() {
}
}
我也尝试了此博客 https://shuaib.me/stormpath-java-backend/ 中的方法,并在 application.properties 中添加了以下几行。
stormpath.web.accessToken.origin.authorizer.originUris = http://localhost:3002
stormpath.web.filters.cors = something.SimpleCorsFilter
stormpath.web.uris./logout = cors
stormpath.web.uris./register = cors
stormpath.web.uris./oauth/token = cors
我还尝试添加一个 FilterRegistrationBean
@Bean
public FilterRegistrationBean corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("http://localhost");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
source.registerCorsConfiguration("/**", config);
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
bean.setOrder(0);
return bean;
}
所有这些尝试都有相同的结果,它们适用于我的控制器中的方法,但不适用于 /oauth/token 请求。
最后,这是我的 pom
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>stormpath-basic</groupId>
<artifactId>stormpath-basic</artifactId>
<version>0.0.1-SNAPSHOT</version>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.4.1.RELEASE</version>
<relativePath />
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<java.version>1.8</java.version>
<stormpath.version>1.1.1</stormpath.version>
</properties>
<dependencies>
<dependency>
<groupId>com.stormpath.spring</groupId>
<artifactId>stormpath-default-spring-boot-starter</artifactId>
<version>${stormpath.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-aop</artifactId>
<version>1.4.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.16.10</version>
</dependency>
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
</dependency>
<dependency>
<groupId>com.jayway.jsonpath</groupId>
<artifactId>json-path</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
我是不是漏掉了什么?
Spring 引导支持 Cross-Origin Resource Sharing (CORS), but it only works for Spring MVC, not Spring Security. Spring Framework provides a CorsFilter you can use for filter-based frameworks。看起来您已经在 FilterRegistrationBean 上这样做了。
我上周 writing a blog post about it 遇到了同样的问题。调试后,我发现这是因为 main StormpathFilter 出现在 CorsFilter.
之前
要解决此问题,请将以下内容添加到 application.properties。
stormpath.web.stormpathFilter.order=1
从版本 1.2.0 开始,Stormpath Java SDK 将提供开箱即用的 CORS 过滤器。默认情况下将使用以下选项启用它:
stormpath.web.cors.enabled = true
#Comma separated list of allowed origins
stormpath.web.cors.allowed.originUris =
stormpath.web.cors.allowed.headers = Content-Type,Accept,X-Requested-With,remember-me
stormpath.web.cors.allowed.methods = POST,GET,OPTIONS,DELETE
可以通过您的 application.properties 文件自定义这些属性。
我正在尝试使用 Stormpath 和 Spring Boot 构建我的第一个应用程序。我找不到如何将 CORS 过滤器添加到 Stormpath servlet。结果,我的前端应用程序无法获取身份验证令牌,因为缺少 Access-Control-Allow-Origin header。
通过日志,我确信我的 CORS 过滤器是在我控制的方法上调用的,而不是在请求上调用的 /oauth/token。
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCorsFilter implements Filter {
private final Logger log = LoggerFactory.getLogger(SimpleCorsFilter.class);
public SimpleCorsFilter() {
log.info("SimpleCORSFilter init");
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
log.debug("*********Enter Cors Filter***********");
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Origin", request.getHeader("Origin"));
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "Content-Type, Accept, X-Requested-With, remember-me");
chain.doFilter(req, res);
log.debug("******* Exit Cors Filter ****");
}
@Override
public void init(FilterConfig filterConfig) {
}
@Override
public void destroy() {
}
}
我也尝试了此博客 https://shuaib.me/stormpath-java-backend/ 中的方法,并在 application.properties 中添加了以下几行。
stormpath.web.accessToken.origin.authorizer.originUris = http://localhost:3002
stormpath.web.filters.cors = something.SimpleCorsFilter
stormpath.web.uris./logout = cors
stormpath.web.uris./register = cors
stormpath.web.uris./oauth/token = cors
我还尝试添加一个 FilterRegistrationBean
@Bean
public FilterRegistrationBean corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("http://localhost");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
source.registerCorsConfiguration("/**", config);
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
bean.setOrder(0);
return bean;
}
所有这些尝试都有相同的结果,它们适用于我的控制器中的方法,但不适用于 /oauth/token 请求。
最后,这是我的 pom
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>stormpath-basic</groupId>
<artifactId>stormpath-basic</artifactId>
<version>0.0.1-SNAPSHOT</version>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.4.1.RELEASE</version>
<relativePath />
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<java.version>1.8</java.version>
<stormpath.version>1.1.1</stormpath.version>
</properties>
<dependencies>
<dependency>
<groupId>com.stormpath.spring</groupId>
<artifactId>stormpath-default-spring-boot-starter</artifactId>
<version>${stormpath.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-aop</artifactId>
<version>1.4.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.16.10</version>
</dependency>
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
</dependency>
<dependency>
<groupId>com.jayway.jsonpath</groupId>
<artifactId>json-path</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
我是不是漏掉了什么?
Spring 引导支持 Cross-Origin Resource Sharing (CORS), but it only works for Spring MVC, not Spring Security. Spring Framework provides a CorsFilter you can use for filter-based frameworks。看起来您已经在 FilterRegistrationBean 上这样做了。
我上周 writing a blog post about it 遇到了同样的问题。调试后,我发现这是因为 main StormpathFilter 出现在 CorsFilter.
要解决此问题,请将以下内容添加到 application.properties。
stormpath.web.stormpathFilter.order=1
从版本 1.2.0 开始,Stormpath Java SDK 将提供开箱即用的 CORS 过滤器。默认情况下将使用以下选项启用它:
stormpath.web.cors.enabled = true
#Comma separated list of allowed origins
stormpath.web.cors.allowed.originUris =
stormpath.web.cors.allowed.headers = Content-Type,Accept,X-Requested-With,remember-me
stormpath.web.cors.allowed.methods = POST,GET,OPTIONS,DELETE
可以通过您的 application.properties 文件自定义这些属性。