情况
这是我的Spring安全配置,当我从localhost创建请求并且应用程序也在localhost上运行时,它就可以工作了。
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/client/**")
.hasRole(HttpClientType.CLIENT.name())
.antMatchers("/**")
.hasRole(HttpClientType.USER.name())
.anyRequest()
.authenticated()
.and()
.exceptionHandling()
.authenticationEntryPoint(restAuthenticationEntryPoint)
.accessDeniedHandler(restAuthorizationEntryPoint)
.and()
.addFilterBefore(jwtTokenFilter, BasicAuthenticationFilter.class)
.csrf().disable().cors().disable();
}
问题
当我将应用程序部署到生产服务器,并从远程主机创建请求时,每次我得到HTTP 403。
p。S.我以为问题会出现在CORS和CSRF中,但即使我禁用了它,它也不起作用。
cors().disable()根本不禁用cors安全过滤器,而是只应用默认的cors配置。
@Override
protected void configure(HttpSecurity http) throws Exception {
http
...
.cors().configurationSource(corsConfigurationSource())
...
}
@Bean
public CorsConfigurationSource corsConfigurationSource() {
final CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(List.of(CorsConfiguration.ALL));
configuration.setAllowedMethods(List.of(CorsConfiguration.ALL));
configuration.setAllowedHeaders(List.of(CorsConfiguration.ALL));
configuration.setAllowCredentials(true);
// ideally CorsConfiguration.ALL should not be used in production
configuration.addExposedHeader(HttpHeaders.AUTHORIZATION); // The headers you expose in response
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
您是否在类中使用@EnableWebSecurity来启用mvc安全设置?。使用.sessionRegistry(sessionRegistry(((进行测试
@Bean
public SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}