Spring 4.2的本机Global CORS支持不适用于CAS filterProcessesUrl [英] Spring 4.2's native Global CORS support won't work with CAS filterProcessesUrl

问题描述

在升级到spring-boot 1.3之后，我试图切换到spring 4.2的本机Global CORS支持，但是似乎无法与CAS过滤器进程url（/ login / cas）一起使用。

i am trying to switch to spring 4.2's native Global CORS support after i upgrade to spring-boot 1.3, but it seemed won't work with CAS filter process url(/login/cas).

最初，我使用的是带有弹簧4.2和spring-security 4.0.2的spring-boot 1.2.7，并使用了基于过滤器的自制cors支持。我自己的休息服务或CAS ST验证URL都可以正常工作。在我升级到spring-boot 1.3以及spring和spring-security版本之后。它停止工作了。
经过一些挖掘，通过 AddFilterBefore 。因此，基于过滤的CORS似乎在spring-boot 1.3.0 + spring-security-cas上也能很好地工作。

Originally, i was using spring-boot 1.2.7 with spring 4.2 and spring-security 4.0.2, and using self made filtered based cors support. And either my own rest service or CAS ST validation URL worked well. After i upgraded to spring-boot 1.3 with coming in spring and spring-security version. It stopped working. After some digging, fixed this by AddFilterBefore. So filtered based CORS seemed work well too with spring-boot 1.3.0 + spring-security-cas.

但是，我想使用本地的Global CORS，但似乎

However, i want to use native Global CORS, but it seemed the CAS ST validation URL(/login/cas) can't be recognized, though other rest endpoints are OK.

请帮助。

设置非常简单。

@Configuration
public class CorsConfiguration {
    @Bean
    public WebMvcConfigurer corsConfigurer() {
        return new WebMvcConfigurerAdapter() {
            @Override
            public void addCorsMappings(CorsRegistry registry) {

                registry.addMapping("/**");
            }
        };
    }
}   

以下是一些流量：

    Request URL:http://localhost:9000/login/cas?ticket=ST-1357-15aQrv93jGEUsQpQRF1P-cas01.example.org
    Request Method:GET
    Status Code:302 Found

    Cache-Control:no-cache, no-store, max-age=0, must-revalidate
    Content-Length:0
    Date:Thu, 19 Nov 2015 09:19:31 GMT
    Expires:0
    Location:http://localhost:9000/
    Pragma:no-cache
    Server:Apache-Coyote/1.1
    X-Content-Type-Options:nosniff
    X-Frame-Options:DENY
    X-XSS-Protection:1; mode=block

，以下是控制台错误：

XMLHttpRequest cannot load http://localhost:9000/login/cas?ticket=ST-1357-15aQrv93jGEUsQpQRF1P-cas01.example.org. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access.

推荐答案

Spring MVC默认情况下会完成对CORS本机的支持 HandlerMapping 级别，因此预计您的CAS过滤器将不会启用CORS，因为它可以更早地处理请求。

CORS native support is done by default at Spring MVC HandlerMapping level, so it is expected that your CAS filter will not be CORS enabled, since it handles request earlier.

要考虑的一种选择是使用 org.springframework.web.filter.CorsFilter 我们还为Spring Framework 4.2提供了 AddFilterBefore 方法。

One option to consider is using the org.springframework.web.filter.CorsFilter we also provide with Spring Framework 4.2 with the AddFilterBefore approach.

请注意， CorsConfiguration 的默认配置与 @CrossOrigin 或 CorsRegistry ，因此您需要自己定义大多数属性，例如：

Be aware that CorsConfiguration has not the same default configuration than @CrossOrigin or CorsRegistry, so you need to define most of the properties yourself, for example:

UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    CorsConfiguration config = new CorsConfiguration();
    config.setAllowCredentials(true); // you USUALLY want this
    config.addAllowedOrigin("*");
    config.addAllowedHeader("*");
    config.addAllowedMethod("GET");
    config.addAllowedMethod("PUT");
    source.registerCorsConfiguration("/**", config);
    CorsFilter filter = new CorsFilter(source);
    // ...

这篇关于Spring 4.2的本机Global CORS支持不适用于CAS filterProcessesUrl的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！