使用Spring Security启用CORS支持所需的FilterRegistrationBean? [英] FilterRegistrationBean necessary to enable CORS support with Spring Security?
问题描述
我的资源服务器受OAuth2保护,并使用以下CORS配置:
My resource server is secured by OAuth2 and uses this CORS configuration:
@Bean
CorsConfigurationSource corsConfigurationSource()
{
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowCredentials(true);
configuration.setAllowedOrigins(Arrays.asList("*"));
configuration.setAllowedMethods(Arrays.asList("*"));
configuration.setAllowedHeaders(Arrays.asList("*"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
@Bean
FilterRegistrationBean<CorsFilter> corsFilter(CorsConfigurationSource corsConfigurationSource)
{
CorsFilter corsFilter = new CorsFilter(corsConfigurationSource);
FilterRegistrationBean<CorsFilter> bean = new FilterRegistrationBean<>();
bean.setFilter(corsFilter);
bean.setOrder(Ordered.HIGHEST_PRECEDENCE);
return bean;
}
该配置可按预期处理预检请求,但是我想知道为什么有必要创建一个自定义FilterRegistrationBean并设置其顺序,而不是使用此处:
The configuration handles preflight requests as expected, but i'm wondering why it is necessary to create a custom FilterRegistrationBean and set its order, instead of using the official CORS support of HttpSecurity.cors() documented here:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
@Override
protected void configure(HttpSecurity http) throws Exception
{
http.cors();
}
@Bean
CorsConfigurationSource corsConfigurationSource()
{
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowCredentials(true);
configuration.setAllowedOrigins(Arrays.asList("*"));
configuration.setAllowedMethods(Arrays.asList("*"));
configuration.setAllowedHeaders(Arrays.asList("*"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
上面的配置不能正确处理印前检查请求,我想CORS过滤器的优先级要比spring安全过滤器低.
The above configuration doesn't handle preflight requests properly, i guess the CORS filter has lower precendece than the spring security filter.
使用第一个FilterRegistrationBean版本是否有不利之处,或者为什么官方的cors配置不能正常工作?我在配置常规方式时是否犯了错误?
Is there a downside of using the first FilterRegistrationBean version or why does the official cors configuration not work properly? Did i make a mistake in configuring the offical way?
我将Spring Boot 2与spring-security-oauth2-autoconfigure一起使用,但是在Spring Boot 1.5.x中得到了相同的行为.
I am using Spring Boot 2 with spring-security-oauth2-autoconfigure, but got the same behaviour in Spring Boot 1.5.x.
推荐答案
您的WebSecurityConfig类从不用于任何请求,因为默认顺序为100,请参见
Your WebSecurityConfig class is never used for any request, because the default order is 100, see WebSecurityConfigurerAdapter:
@Order(value=100)
public abstract class WebSecurityConfigurerAdapter
extends java.lang.Object
implements WebSecurityConfigurer<WebSecurity>
and the default order of the resource server configuration is 3, see EnableResourceServer:
注释使用硬编码的
Order(共3个)创建了一个WebSecurityConfigurerAdapter.
The annotation creates a
WebSecurityConfigurerAdapterwith a hard-codedOrder(of 3).
如果要使用WebSecurityConfig类,则必须将顺序更改为小于3的值.但是要小心,因为您可能会隐藏资源服务器配置.
If you want to use your WebSecurityConfig class you have to change the order to a value lesser than 3. But be careful, because you could hide your resource server configuration.
如果您的应用程序也是授权服务器,则也必须小心.您的授权服务器配置带有 EnableAuthorizationServer 不能使用.授权服务器的安全性配置的默认顺序为0,请参阅
If your application is also an authorization server, you have to be careful, too. Your authorization server configuration annotated with EnableAuthorizationServer could be not used. The default order of authorization server's security configuration is 0, see AuthorizationServerSecurityConfiguration.
If you only want to add CORS support to your resource server configuration, it is easier to override ResourceServerConfigurerAdapter#configure(HttpSecurity http).
这篇关于使用Spring Security启用CORS支持所需的FilterRegistrationBean?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
