Spring security + session : 接收 "Set-Cookie" header 但未在浏览器中设置
Spring security + session : Receive "Set-Cookie" header but not set in browser
我正在尝试 Spring 安全和 Session 的 Angular 前端。
我在尝试使用该响应 header 登录时收到 200 代码:
Set-Cookie: SESSION=NGJlYTkzODQtNTQzMy00NGIxLWEzOWYtYTc2MGNlZWY1OTJm; Path=/; HttpOnly; SameSite=Lax
但是在我对服务器的下一次请求中,请求中没有自动设置cookie。顺便说一句,我在开发人员工具中看不到 cookie,所以我认为它没有保存。
我在本地从事前端和后端工作。
以下是有关后端的一些信息:
使用 Spring MongoDb Session
@Configuration
@EnableMongoHttpSession
public class SessionConfig {
}
- 经典Spring安全配置
`
@EnableWebSecurity
public class SecurityConfig 扩展 WebSecurityConfigurerAdapter {
private final CustomAuthenticationProvider authProvider;
public SecurityConfig(CustomAuthenticationProvider authProvider) {
this.authProvider = authProvider;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic(); //todo csrf
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Collections.singletonList("http://localhost:4200")); // todo properties by environment
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "OPTIONS", "DELETE", "PUT", "PATCH"));
configuration.setAllowedHeaders(Arrays.asList("X-Requested-With", "Origin", "Content-Type", "Accept", "Authorization"));
configuration.setAllowCredentials(true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
`
session在mongodb中保存的很好,只是id没有保存在浏览器中。
有什么想法吗?
编辑
当在 httpClient 参数中设置 observer: "response" 时,我看不到 Set-Cookie header :
"cache-control: no-cache, no-store, max-age=0, must-revalidate,content-type: application/json,expires: 0,pragma: no-cache"
但是在开发者工具中我有:
HTTP/1.1 200
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: http://localhost:4200
Access-Control-Allow-Credentials: true
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Set-Cookie: SESSION=YTEwOTNkNjAtZjI4MS00ZmM2LWExYmEtYzA5NzJhMjAyNTJh; Path=/; HttpOnly; SameSite=Lax
Content-Type: application/json
Transfer-Encoding: chunked
Date: Mon, 01 Jul 2019 11:25:08 GMT
问题在 angular 方面!
我添加了一个添加了 withCredentials 参数的拦截器,它起作用了。
@Injectable()
export class XhrInterceptor implements HttpInterceptor {
intercept(req: HttpRequest<any>, next: HttpHandler) {
const xhr = req.clone({
withCredentials: true
});
return next.handle(xhr);
}
}
在后端创建一个 CORS 过滤器添加这个
response.setHeader("Access-Control-Allow-Headers",
"Date, Content-Type, Accept, X-Requested-With, Authorization, From, X-Auth-Token, Request-Id");
response.setHeader("Access-Control-Expose-Headers", "Set-Cookie");
response.setHeader("Access-Control-Allow-Credentials", "true");
我正在尝试 Spring 安全和 Session 的 Angular 前端。 我在尝试使用该响应 header 登录时收到 200 代码:
Set-Cookie: SESSION=NGJlYTkzODQtNTQzMy00NGIxLWEzOWYtYTc2MGNlZWY1OTJm; Path=/; HttpOnly; SameSite=Lax
但是在我对服务器的下一次请求中,请求中没有自动设置cookie。顺便说一句,我在开发人员工具中看不到 cookie,所以我认为它没有保存。
我在本地从事前端和后端工作。
以下是有关后端的一些信息:
使用 Spring MongoDb Session
@Configuration @EnableMongoHttpSession public class SessionConfig { }- 经典Spring安全配置
` @EnableWebSecurity public class SecurityConfig 扩展 WebSecurityConfigurerAdapter { private final CustomAuthenticationProvider authProvider;
public SecurityConfig(CustomAuthenticationProvider authProvider) {
this.authProvider = authProvider;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic(); //todo csrf
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Collections.singletonList("http://localhost:4200")); // todo properties by environment
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "OPTIONS", "DELETE", "PUT", "PATCH"));
configuration.setAllowedHeaders(Arrays.asList("X-Requested-With", "Origin", "Content-Type", "Accept", "Authorization"));
configuration.setAllowCredentials(true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
} `
session在mongodb中保存的很好,只是id没有保存在浏览器中。 有什么想法吗?
编辑
当在 httpClient 参数中设置 observer: "response" 时,我看不到 Set-Cookie header :
"cache-control: no-cache, no-store, max-age=0, must-revalidate,content-type: application/json,expires: 0,pragma: no-cache"
但是在开发者工具中我有:
HTTP/1.1 200
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: http://localhost:4200
Access-Control-Allow-Credentials: true
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Set-Cookie: SESSION=YTEwOTNkNjAtZjI4MS00ZmM2LWExYmEtYzA5NzJhMjAyNTJh; Path=/; HttpOnly; SameSite=Lax
Content-Type: application/json
Transfer-Encoding: chunked
Date: Mon, 01 Jul 2019 11:25:08 GMT
问题在 angular 方面! 我添加了一个添加了 withCredentials 参数的拦截器,它起作用了。
@Injectable()
export class XhrInterceptor implements HttpInterceptor {
intercept(req: HttpRequest<any>, next: HttpHandler) {
const xhr = req.clone({
withCredentials: true
});
return next.handle(xhr);
}
}
在后端创建一个 CORS 过滤器添加这个
response.setHeader("Access-Control-Allow-Headers",
"Date, Content-Type, Accept, X-Requested-With, Authorization, From, X-Auth-Token, Request-Id");
response.setHeader("Access-Control-Expose-Headers", "Set-Cookie");
response.setHeader("Access-Control-Allow-Credentials", "true");