Spring - CORS 不适用于安全配置
Spring - CORS not working with Security Config
我开发了一个带有 spring webflux 后端的 angular 应用程序。到目前为止,CorsFilter 工作正常并允许来自前端的请求。
然后我添加了一个SecurityConfig。从那时起,CorsFilter 停止工作,我在 angular 应用程序中遇到异常:
Access to XMLHttpRequest at 'http://localhost:8080/users/999/folders/%2F/media/' from origin 'http://localhost:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource
这个过滤器工作正常:
@Configuration
public class CorsFilter {
private static final String FRONTEND_LOCALHOST = "http://localhost:4200";
private static final String FRONTEND_STAGING = "https://somehost.github.io";
@Bean
CorsWebFilter corsWebFilter() {
CorsConfiguration corsConfig = new CorsConfiguration();
corsConfig.applyPermitDefaultValues();
corsConfig.addAllowedMethod(HttpMethod.PUT);
corsConfig.addAllowedMethod(HttpMethod.DELETE);
corsConfig.setAllowedOrigins(Arrays.asList(FRONTEND_LOCALHOST, FRONTEND_STAGING));
UrlBasedCorsConfigurationSource source =
new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", corsConfig);
return new CorsWebFilter(source);
}
}
然后我使用以下 SecurityConfig 添加了授权(不记名令牌):
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class SecurityConfiguration {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http.cors().and().csrf()
.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())
.and()
.authorizeExchange()
.anyExchange().authenticated()
.and()
.oauth2ResourceServer()
.jwt();
return http.build();
}
安全配置似乎不再考虑我的 CorsFilter。我指出需要在配置中明确添加 corsfilter,但我发现的示例没有用。我希望有人能提供帮助并知道为什么。
编辑:为了解决重复问题:我已经尝试将 cors() 和 cors().configurationSource(corsConfig()) 添加到我的安全配置中,但也没有帮助。
尝试添加此配置
corsConfig.setAllowCredentials(true);
我通过实施自定义 corsfilter 在 中找到了一种工作方式。
但是我仍然对这个解决方案不满意,因为它看起来很像一个解决方法。
终于找到罪魁祸首了...一个很尴尬。我发布的 SecurityConfig 在错误的包中(它不小心在默认包中)因此配置没有被拾取。
当我将代码粘贴到安全配置时,问题中的 cors 过滤器也开始工作。
所以我最终的 SecurityConfig 看起来像这样:
import java.util.Arrays;
import org.springframework.context.annotation.Bean;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.reactive.CorsConfigurationSource;
import org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource;
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class SecurityConfiguration {
private static final String FRONTEND_LOCALHOST = "http://localhost:4200";
private static final String FRONTEND_STAGING = "https://somehost.github.io";
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.csrf()
.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())
.and()
.authorizeExchange()
.anyExchange().authenticated()
.and()
.oauth2ResourceServer()
.jwt();
return http.build();
}
@Bean
CorsConfigurationSource corsConfiguration() {
CorsConfiguration corsConfig = new CorsConfiguration();
corsConfig.applyPermitDefaultValues();
corsConfig.addAllowedMethod(HttpMethod.PUT);
corsConfig.addAllowedMethod(HttpMethod.DELETE);
corsConfig.setAllowedOrigins(Arrays.asList(FRONTEND_LOCALHOST, FRONTEND_STAGING));
UrlBasedCorsConfigurationSource source =
new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", corsConfig);
return source;
}
}
我开发了一个带有 spring webflux 后端的 angular 应用程序。到目前为止,CorsFilter 工作正常并允许来自前端的请求。
然后我添加了一个SecurityConfig。从那时起,CorsFilter 停止工作,我在 angular 应用程序中遇到异常:
Access to XMLHttpRequest at 'http://localhost:8080/users/999/folders/%2F/media/' from origin 'http://localhost:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource
这个过滤器工作正常:
@Configuration
public class CorsFilter {
private static final String FRONTEND_LOCALHOST = "http://localhost:4200";
private static final String FRONTEND_STAGING = "https://somehost.github.io";
@Bean
CorsWebFilter corsWebFilter() {
CorsConfiguration corsConfig = new CorsConfiguration();
corsConfig.applyPermitDefaultValues();
corsConfig.addAllowedMethod(HttpMethod.PUT);
corsConfig.addAllowedMethod(HttpMethod.DELETE);
corsConfig.setAllowedOrigins(Arrays.asList(FRONTEND_LOCALHOST, FRONTEND_STAGING));
UrlBasedCorsConfigurationSource source =
new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", corsConfig);
return new CorsWebFilter(source);
}
}
然后我使用以下 SecurityConfig 添加了授权(不记名令牌):
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class SecurityConfiguration {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http.cors().and().csrf()
.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())
.and()
.authorizeExchange()
.anyExchange().authenticated()
.and()
.oauth2ResourceServer()
.jwt();
return http.build();
}
安全配置似乎不再考虑我的 CorsFilter。我指出需要在配置中明确添加 corsfilter,但我发现的示例没有用。我希望有人能提供帮助并知道为什么。
编辑:为了解决重复问题:我已经尝试将 cors() 和 cors().configurationSource(corsConfig()) 添加到我的安全配置中,但也没有帮助。
尝试添加此配置
corsConfig.setAllowCredentials(true);
我通过实施自定义 corsfilter 在
但是我仍然对这个解决方案不满意,因为它看起来很像一个解决方法。
终于找到罪魁祸首了...一个很尴尬。我发布的 SecurityConfig 在错误的包中(它不小心在默认包中)因此配置没有被拾取。
当我将代码粘贴到安全配置时,问题中的 cors 过滤器也开始工作。
所以我最终的 SecurityConfig 看起来像这样:
import java.util.Arrays;
import org.springframework.context.annotation.Bean;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.reactive.CorsConfigurationSource;
import org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource;
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class SecurityConfiguration {
private static final String FRONTEND_LOCALHOST = "http://localhost:4200";
private static final String FRONTEND_STAGING = "https://somehost.github.io";
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.csrf()
.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())
.and()
.authorizeExchange()
.anyExchange().authenticated()
.and()
.oauth2ResourceServer()
.jwt();
return http.build();
}
@Bean
CorsConfigurationSource corsConfiguration() {
CorsConfiguration corsConfig = new CorsConfiguration();
corsConfig.applyPermitDefaultValues();
corsConfig.addAllowedMethod(HttpMethod.PUT);
corsConfig.addAllowedMethod(HttpMethod.DELETE);
corsConfig.setAllowedOrigins(Arrays.asList(FRONTEND_LOCALHOST, FRONTEND_STAGING));
UrlBasedCorsConfigurationSource source =
new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", corsConfig);
return source;
}
}