如何在Spring Boot中更改允许的标头 [英] How to alter allowed headers in Spring Boot
问题描述
我目前正在使用Auth0(和Angular 2 GUI),它将请求中的类型"x-xsrf-token"
的标头发送到Spring Boot API.
I'm currently using Auth0 (and an Angular 2 GUI), which sends a header of the type "x-xsrf-token"
in the request to a Spring Boot API.
我得到了错误:
"XMLHttpRequest无法加载 http://localhost:3001/ping .请求标头 字段中的Access-Control-Allow-Header不允许使用x-xsrf-token字段 飞行前反应."
"XMLHttpRequest cannot load http://localhost:3001/ping. Request header field x-xsrf-token is not allowed by Access-Control-Allow-Headers in preflight response."
这很公平,因为响应标头"中的访问控制响应标头"列表不包含"x-xsrf-token
"(在Chrome的网络"标签中调试请求时).
This is fair enough as the list of Access-Control-Response-Headers in Response Headers does not include x-xsrf-token
(when debugging the request in the network tab in Chrome).
我尝试了许多解决方案,我认为最接近的方法是覆盖AppConfig
中的configure方法,并添加自己的CorsFilter
,如下所示:
I have tried a number of solutions, the closest I think I have come is to override the configure method in AppConfig
, and add in my own CorsFilter
, like below:
(Imports removed for brevity)
@Configuration
@EnableWebSecurity(debug = true)
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class AppConfig extends Auth0SecurityConfig {
@Bean
public Auth0Client auth0Client() {
return new Auth0Client(clientId, issuer);
}
@Bean
public Filter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("*");
config.addAllowedHeader("Content-Type");
config.addAllowedHeader("x-xsrf-token");
config.addAllowedHeader("Authorization");
config.addAllowedHeader("Access-Control-Allow-Headers");
config.addAllowedHeader("Origin");
config.addAllowedHeader("Accept");
config.addAllowedHeader("X-Requested-With");
config.addAllowedHeader("Access-Control-Request-Method");
config.addAllowedHeader("Access-Control-Request-Headers");
config.addAllowedMethod("OPTIONS");
config.addAllowedMethod("GET");
config.addAllowedMethod("PUT");
config.addAllowedMethod("POST");
config.addAllowedMethod("DELETE");
source.registerCorsConfiguration("/**", config);
return new CorsFilter(source);
}
@Override
protected void authorizeRequests(final HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/ping").permitAll().antMatchers("/").permitAll().anyRequest()
.authenticated();
}
String getAuthorityStrategy() {
return super.authorityStrategy;
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.csrf().disable();
http.addFilterAfter(auth0AuthenticationFilter(auth0AuthenticationEntryPoint()),
SecurityContextPersistenceFilter.class)
.addFilterBefore(simpleCORSFilter(), Auth0AuthenticationFilter.class);
authorizeRequests(http);http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.cors();
}
}
不幸的是,我没有成功,但仍然在我的get请求的响应标头中看到x-xsrf-token
丢失.
Unfortunately I have had no success with this, and still see the x-xsrf-token
missing in the response header of my get request.
我的基础项目是这样的: https://github .com/auth0-samples/auth0-spring-security-api-sample/tree/master/01-Authentication/src/main
My base project is this: https://github.com/auth0-samples/auth0-spring-security-api-sample/tree/master/01-Authentication/src/main
任何想法都将受到欢迎.
Any ideas would be welcome.
推荐答案
最终我自己解决了这个问题.我在pom.xml文件中删除了此依赖项:
Ultimately I solved this myself. I removed this dependency here in the pom.xml file:
<dependency>
<groupId>com.auth0</groupId>
<artifactId>auth0-spring-security-api</artifactId>
<version>0.3.1</version>
</dependency>
因为它是github上的开源项目,请在此处 https://github.com/auth0/auth0-spring-security-api .我将源代码以自己的程序包添加到我的项目中,并将其依赖项添加到我的pom.xml文件中.然后,我更改了Auth0CORSFilter中的doFilter方法以包括我的x-xsrf-token:
because it is an open source project on github, here https://github.com/auth0/auth0-spring-security-api. I added the source code to my project in its own package, and added its dependencies to my pom.xml file. Then I changed the doFilter method in the Auth0CORSFilter to include my x-xsrf-token:
@Override
public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain chain) throws IOException, ServletException {
final HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "Authorization, x-xsrf-token, Access-Control-Allow-Headers, Origin, Accept, X-Requested-With, " +
"Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers");
chain.doFilter(req, res);
}
不幸的是,现在我无法根据需要轻松切换版本,我的代码库也更加混乱,但是由于我是Spring的新手,这比花费数小时尝试覆盖Auth0CORSFilter要容易得多Bean,如果有可能的话.
Unfortunately, I now won't be able to switch versions as easily if I need to, I also have a slightly more cluttered codebase, however as I am new to Spring this was far easier than spending hours trying to override the Auth0CORSFilter Bean, if that was ever possible.
这篇关于如何在Spring Boot中更改允许的标头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!