小贝子编程

使用弹簧安全性在后端启用CORS的正确方法是什么.还在REST框架项目中使用Apachecxf



我有以下代码片段(以及一些其他配置)。还应该做些什么?chrome的错误为:"对飞行前请求的响应未通过访问控制检查:请求的资源上不存在‘访问控制允许来源’标头。">

SC:rxjs(使用angular)调用页面的ResponseHeaders屏幕截图

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
protected  class OAuth2SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().and()
.csrf().disable()
.anonymous().disable()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS,"/oauth/token").permitAll();
}
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
protected CorsConfigurationSource corsConfigurationSource()
{
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowCredentials(true);
configuration.setMaxAge((long) 3600);
configuration.addAllowedOrigin("*");
//configuration.setAllowedOrigins(Arrays.asList("*"));
configuration.setAllowedMethods(Arrays.asList("*"));
//configuration.setAllowedMethods(Arrays.asList("GET","POST","OPTIONS", "DELETE"));
configuration.setAllowedHeaders(Arrays.asList("*"));
//configuration.setAllowedHeaders(Arrays.asList( "x-requested-with","X-requested-with", "authorization", "cache-control", "Content-Type,adminUserId"));
configuration.setExposedHeaders(Arrays.asList("Access-Control-Allow-Origin","Access-Control-Allow-Credentials"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
@Configuration
@EnableResourceServer
protected class ResourceServer extends ResourceServerConfigurerAdapter {
@Autowired
@Qualifier("dataSource")
DataSource dataSource;
@Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
@Override
public void configure(HttpSecurity http) throws Exception {         
http
.anonymous().disable()
.requestMatchers().antMatchers("/rest/services/messagePosting/**")
.and().authorizeRequests()
.antMatchers("/rest/services/messagePosting/**")
.authenticated()
.and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());     
}
@Override
public void configure(ResourceServerSecurityConfigurer resources)
throws Exception {
resources.resourceId("my-rest-services");
}
}

更新:此解决方案仅适用于Spring引导
记不起确切的场景,但我想是在OAuth2配置中,当我在扩展WebSecurityConfigurerAdapter的配置类中配置CORS时,遇到了类似的问题,但这并没有帮助
我找到的解决方案是在一个单独的java类中配置CORS,并将该类导入到您的spring安全配置类中。如下所示:

@Configuration
public class CorsConfig {   
@Bean
public FilterRegistrationBean<Filter> customCorsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
source.registerCorsConfiguration("/**", config);
FilterRegistrationBean<Filter> bean = new FilterRegistrationBean<Filter>(new CorsFilter(source));
bean.setOrder(Ordered.HIGHEST_PRECEDENCE);
return bean;
}
}

您的安全配置类(注意导入注释):

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
@Import({CorsConfig.class})
protected  class OAuth2SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().and()
.csrf().disable()
.anonymous().disable()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS,"/oauth/token").permitAll();
}

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium