在 CORS spring security + webFlux 中启用通配符 [英] Enable wildcard in CORS spring security + webFlux
问题描述
我在使用 spring webFlux 制作的项目中启用了 spring security + CORS.我的问题是我们接受例如来自:http://localhost:4200 的请求.我如何让 CORS 接受来自 http://*.localhost:4200 的请求,例如 http://a.localhost:4200, http://b.localhost:4200 ?
I have spring security + CORS enable into a project that is made with spring webFlux. My problem here is that we accept for example requests from: http://localhost:4200. How I can make that CORS will accept reqs from http://*.localhost:4200 like http://a.localhost:4200, http://b.localhost:4200 ?
我的 CORS 配置如下:
My CORS config looks like:
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public CorsWebFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.setAllowedOrigins(corsConfigData.getAllowedOrigins());
config.setAllowedHeaders(corsConfigData.getAllowedHeaders());
config.setAllowedMethods(corsConfigData.getAllowedMethods());
source.registerCorsConfiguration("/**", config);
return new CorsWebFilter(source);
}
你有什么想法吗???
推荐答案
我想我找到了一个有效的解决方案.这只是意味着创建一个自定义 CorsConfiguration,覆盖 checkOrigin 方法并创建一个自定义匹配器来正确解释 http://*.localhost:4200.代码如下所示:
I think I found a solution that works. That simply means creating a custom CorsConfiguration, overriding the checkOrigin method and create a custom matcher that will interpret http://*.localhost:4200 correctly. The code looks like this:
public class RegexCorsConfiguration extends CorsConfiguration {
private List<String> allowedOriginsRegexes = new ArrayList<>();
/**
* Check the origin of the request against the configured allowed origins.
* @param requestOrigin the origin to check
* @return the origin to use for the response, possibly {@code null} which
* means the request origin is not allowed
*/
public String checkOrigin(String requestOrigin) {
if (!StringUtils.hasText(requestOrigin)) {
return null;
}
if (this.allowedOriginsRegexes.isEmpty()) {
return null;
}
if (this.allowedOriginsRegexes.contains(ALL)) {
if (getAllowCredentials() != Boolean.TRUE) {
return ALL;
} else {
return requestOrigin;
}
}
for (String allowedOriginRegex : this.allowedOriginsRegexes) {
if (createMatcher(requestOrigin, allowedOriginRegex).matches()) {
return requestOrigin;
}
}
return null;
}
public void setAllowedOriginRegex(List<String> allowedOriginsRegexes) {
this.allowedOriginsRegexes = allowedOriginsRegexes;
}
private Matcher createMatcher(String origin, String allowedOrigin) {
String regex = this.parseAllowedWildcardOriginToRegex(allowedOrigin);
Pattern pattern = Pattern.compile(regex);
return pattern.matcher(origin);
}
private String parseAllowedWildcardOriginToRegex(String allowedOrigin) {
String regex = allowedOrigin.replace(".", "\\.");
return regex.replace("*", ".*");
}}
当然,从这样的配置类中注入 corsConfig:
and of course, inject corsConfig from configuration classes like this:
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public CorsWebFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
RegexCorsConfiguration regexCorsConfiguration = new RegexCorsConfiguration();
regexCorsConfiguration.setAllowCredentials(true);
regexCorsConfiguration.setAllowedOriginRegex(corsConfigData.getAllowedOrigins());
regexCorsConfiguration.setAllowedHeaders(corsConfigData.getAllowedHeaders());
regexCorsConfiguration.setAllowedMethods(corsConfigData.getAllowedMethods());
source.registerCorsConfiguration("/**", regexCorsConfiguration);
return new CorsWebFilter(source);
}
这篇关于在 CORS spring security + webFlux 中启用通配符的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!