Spring Security CORS过滤器不起作用 [英] Spring Security CORS filter not working

问题描述

我正在将Spring Security与OAuth2(版本:4.0.4.RELEASE)和spring(版本:4.3.1.RELEASE)一起使用.

I'm using spring security with OAuth2 (version: 4.0.4.RELEASE) and spring (verison: 4.3.1.RELEASE).

我正在Angular中开发前端，并且正在使用grunt connect:dev( http://127.0.0.1:9000 ).当我尝试通过本地主机地址登录时，一切正常，但是从其他服务器上我却收到错误消息:

I'm developing frontend in Angular and I'm using grunt connect:dev (http://127.0.0.1:9000). When I trying to login by localhost address everything working fine but from other I'm getting error:

"XMLHttpRequest无法加载 http://localhost:8084/oauth/token?client_id = MY_CLIENT_ID .对预检请求的响应未通过访问控制检查:所请求的资源上没有'Access-Control-Allow-Origin'标头原始' http://127.0.0.1:9000 '.响应的HTTP状态码为401."

"XMLHttpRequest cannot load http://localhost:8084/oauth/token?client_id=MY_CLIENT_ID. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:9000' is therefore not allowed access. The response had HTTP status code 401."

我已经在WebMvcConfigurerAdapter中配置了映射(重写的公共无效addCorsMappings(CorsRegistry注册表))(如下所示)，但它仍不适用于 http://127.0.0.1:9000 .

I have configured mapping (Overrided public void addCorsMappings(CorsRegistry registry)) in WebMvcConfigurerAdapter (like below) but it still not working for http://127.0.0.1:9000.

    registry.addMapping("/**")
            .allowedOrigins("http://127.0.0.1:9000")
            .allowedMethods("POST", "OPTIONS", "GET", "DELETE", "PUT")
            .allowedHeaders("X-Requested-With,Origin,Content-Type,Accept,Authorization")
            .allowCredentials(true).maxAge(3600);

基于以下配置: https://spring.io/guides/gs/rest -service-cors/

请为我指出正确的指导，以解决此问题.

Please, point me the right directon to resolve this issue.

推荐答案

希望您早就找到了答案，但如果没有找到答案(并且如果有人发现这个问题，就像我一样在搜索):

Hopefully, you found an answer long ago, but if not (and if anyone else finds this question searching as I was):

问题在于，Spring Security使用过滤器进行操作，这些过滤器通常优先于用户定义的过滤器，@CrossOrigin和类似的注释等.

The issue is that Spring Security operates using filters and those filters generally have precedence over user defined filters, @CrossOrigin and similar annotations, etc.

对我有用的是，如此处所示，将CORS过滤器定义为优先级最高的bean. >

What worked for me was to define the CORS filter as a bean with highest precedence, as suggested here.

@Configuration
public class MyConfiguration {

    @Bean
    public FilterRegistrationBean corsFilter() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
        config.addAllowedOrigin("http://127.0.0.1:9000");
        config.setAllowedMethods(Arrays.asList("POST", "OPTIONS", "GET", "DELETE", "PUT"));
        config.setAllowedHeaders(Arrays.asList("X-Requested-With", "Origin", "Content-Type", "Accept", "Authorization"));
        source.registerCorsConfiguration("/**", config);
        FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
        bean.setOrder(Ordered.HIGHEST_PRECEDENCE);
        return bean;
    }
}

这篇关于Spring Security CORS过滤器不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！