具有安全性约束的jBoss CORS支持 [英] jBoss CORS support with security constraints

问题描述

我正在使用网络常见的安全性约束向我的API添加身份验证，但是它似乎破坏了我的CORS过滤器.以前，我只使用过滤器就可以使用它，而没有应用程序服务器级别的身份验证.

I'm adding authentication to my API using the web-common security constraints, but it seems to have broken my CORS filter. I've previously had it working with just the filter and no app server level authentication.

基本思想是要求所有请求都需要在/rest/account端点下进行身份验证，因为这些请求是用于处理初始登录的，因此需要公开访问.

The basic idea is to require authentication on all requests expect those under the /rest/account endpoint, as these are the ones that handle the initial login and so need to be publicly accessible.

在尝试登录时，如果将OPTIONS调用作为POST请求的一部分进行，则在Chrome和Postman中进行的测试都会返回405方法不允许响应.

Testing in both Chrome and Postman returns a 405 Method not allowed response when the OPTIONS call is made as part of the POST request when trying to login.

希望我在下面提供了所有相关的信息，但如果需要其他任何信息，请告诉我.预先感谢！

Hopefully I've provided everything relevant below but let me know if anything else is needed. Thanks in advance!

我的CORS过滤器

<filter>
    <filter-name>CORS</filter-name>
    <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
    <init-param>
        <param-name>cors.supportedMethods</param-name>
        <param-value>*</param-value>
    </init-param>
    <init-param>
        <param-name>cors.supportedHeaders</param-name>
        <param-value>*</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowOrigin</param-name>
        <param-value>*</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowSubdomains</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>cors.supportsCredentials</param-name>
        <param-value>true</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>CORS</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

我的安全限制

<security-constraint>
    <display-name>WebsiteUsers</display-name>
    <web-resource-collection>
        <web-resource-name>WebsiteAPI</web-resource-name>
        <description/>
        <url-pattern>/rest/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description>Standard User authentication</description>
        <role-name>Users</role-name>
    </auth-constraint>
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Public</web-resource-name>
        <description>Matches a few special endpoints</description>
        <url-pattern>/rest/account/*</url-pattern>
    </web-resource-collection>
    <!-- No auth-constraint means everybody has access! -->
</security-constraint>

推荐答案

尝试将<http-method-omission>OPTIONS</http-method-omission>添加到受保护的<web-resource-collection>中. 这应该允许OPTIONS请求通过您的CORS过滤器(然后将其发送回正确的Access-Control-Allow-Methods响应标头).

Try adding <http-method-omission>OPTIONS</http-method-omission> to the protected <web-resource-collection>. This should allow OPTIONS request through to your CORS filter (which would then send back proper Access-Control-Allow-Methods response header).

请参见 https://docs.oracle.com /cd/E19798-01/821-1841/bncbk/index.html

或者(如果您需要支持servlet spec< 3.0)，则可以定义所有需要身份验证的方法(GET，POST，DELETE，PUT等-除OPTIONS )-使用<http-method>

Alternatively (if you need to support servlet spec < 3.0) you could define all the methods that need authentication instead (GET, POST, DELETE, PUT, etc. - except OPTIONS) - using <http-method>

这篇关于具有安全性约束的jBoss CORS支持的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！