如何在Spring Boot中配置CORS和基本授权? [英] How to configure CORS and Basic Authorization in Spring Boot?

问题描述

我正在尝试在已经设置了基本身份验证的Spring Boot应用程序中配置CORS.

I'm trying to configure CORS in a Spring boot application that already has Basic auth set up.

我在很多地方搜索过，包括此答案，它指向

I've searched in many places, including this answer, that points to Filter based CORS support in the official docs.

到目前为止没有运气.

我的AJAX请求是通过这种方式完成的.如果它是从同一来源完成的，则它可以正常工作 http://localhost:8080 .

My AJAX request is done this way. It works if done from same origin http://localhost:8080.

fetch('http://localhost:8080/api/lists', {
  headers: {
    'Authorization': 'Basic dXNlckB0ZXN0LmNvbToxMjM0NQ=='
  }
}

AJAX请求是从React应用程序通过 http://localhost:3000 完成的，所以我尝试了以下操作春季启动CORS配置:

The AJAX request is done from a React app at http://localhost:3000, so I tried the following Spring boot CORS config:

@Configuration
class MyConfiguration {

    @Bean
    public FilterRegistrationBean corsFilter()
    {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();

        CorsConfiguration config = new CorsConfiguration();
        config.setAllowedOrigins(Arrays.asList("http://localhost:3000"));
        // Maybe I can just say "*" for methods and headers
        // I just copied these lists from another Dropwizard project
        config.setAllowedMethods(Arrays.asList("GET", "PUT", "POST", "DELETE", "OPTIONS", "HEAD"));
        config.setAllowedHeaders(Arrays.asList("X-Requested-With", "Origin", "Content-Type", "Accept",
            "Authorization", "Access-Control-Allow-Credentials", "Access-Control-Allow-Headers", "Access-Control-Allow-Methods",
            "Access-Control-Allow-Origin", "Access-Control-Expose-Headers", "Access-Control-Max-Age",
            "Access-Control-Request-Headers", "Access-Control-Request-Method", "Age", "Allow", "Alternates",
            "Content-Range", "Content-Disposition", "Content-Description"));
        config.setAllowCredentials(true);

        source.registerCorsConfiguration("/**", config);
        FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
        bean.setOrder(0);
        return bean;
    }
}

我的WebSecurityConfig:

My WebSecurityConfig:

@Configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.httpBasic().and()
            .authorizeRequests()
            .antMatchers("/", "/index.html").permitAll()
            .anyRequest().fullyAuthenticated();
    }
}

来自 http://localhost:3000 的fetch调用在控制台中显示此401错误:

The fetch call from http://localhost:3000 displays this 401 error in the console:

Fetch API无法加载 http://localhost:8080/api/lists .回应 preflight的HTTP状态代码无效401.

Fetch API cannot load http://localhost:8080/api/lists. Response for preflight has invalid HTTP status code 401.

在chrome开发工具的网络标签中，我看到了这个OPTIONS请求:

An in the network tab of chrome dev tools I see this OPTIONS request:

推荐答案

我认为您需要允许OPTION请求进入您的网络安全配置.像这样:

I think you need to allow OPTION requests into your web security config. Something like:

.antMatchers(HttpMethod.OPTIONS, "/your-url").permitAll()

这篇关于如何在Spring Boot中配置CORS和基本授权?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！