如何在 Spring 5.3 及更高版本中使用 Stomp 和 SockJS 处理 CORS 起源? [英] How to handle CORS origins with Stomp and SockJS in Spring 5.3 and newer?

问题描述

我正在开发一个同时使用 REST 端点和 SockJS websocket 的服务器应用程序.这曾经在 Spring 5.2 及更低版本下运行良好.

I'm working on a server application which uses both REST endpoints and a SockJS websocket. This used to work fine under Spring 5.2 and below.

但是，自 5.3 发布以来，org.springframework.web.cors.CorsConfiguration 中存在以下方法:

However, since the 5.3 release, the following method exists within org.springframework.web.cors.CorsConfiguration:

    public void validateAllowCredentials() {
        if (this.allowCredentials == Boolean.TRUE &&
                this.allowedOrigins != null && this.allowedOrigins.contains(ALL)) {

            throw new IllegalArgumentException(
                    "When allowCredentials is true, allowedOrigins cannot contain the special value \"*\"" +
                            "since that cannot be set on the \"Access-Control-Allow-Origin\" response header. " +
                            "To allow credentials to a set of origins, list them explicitly " +
                            "or consider using \"allowedOriginPatterns\" instead.");
        }
    }

到目前为止，我的套接字配置如下:

So far, my socket was configured like this:

@Configuration
@EnableWebSocketMessageBroker
public class WebSocketConfiguration implements WebSocketMessageBrokerConfigurer {

    @Override
    public void configureMessageBroker(MessageBrokerRegistry config) {
        // prefix for the client to send messages to the server
        config.setApplicationDestinationPrefixes("/app");
        // prefix for the client to receive broadcasted messages from the server
        config.enableSimpleBroker("/topic");
    }

    @Override
    public void registerStompEndpoints(StompEndpointRegistry registry) {
        // defines the url of the socket so the client can connect to it
        registry.addEndpoint("/socketendpoint").setAllowedOrigins("*").withSockJS();
    }
} 

现在我面临一个真正的问题:

Now I'm facing a real issue:

• 如果我将 setAllowedOrigins("*") 保留在 WebSocketConfiguration 中，那么我将面临 validateAllowCredentials 中抛出的错误.
• 如果我删除 setAllowedOrigins("*")，那么 SockJS 客户端将收到 WebSocket 握手期间的错误:意外响应代码:403.立>

• If I keep the setAllowedOrigins("*") in the WebSocketConfiguration, then I will face the error thrown in validateAllowCredentials.
• If I remove the setAllowedOrigins("*"), then the SockJS clients will recieve an Error during WebSocket handshake: Unexpected response code: 403.

我在编译时不知道原始域.

I don't know the origin domain at compile time.

我已经尝试过使用典型的将您在请求中找到的 origin 标头作为 allow-origin"返回的 Cors 过滤器和 Cors 配置；通常用于规避 allow-origin: "*" 的模式，但某些 SockJS 请求没有分配 origin 标头...

I already tried a Cors Filter and a Cors Configuration that use the typical "return the origin header you find in the request as allow-origin" pattern that is usually used to circumvent the allow-origin: "*", but some SockJS requests don't have an origin header assigned...

我该如何解决这个问题?

How do I fix this?

推荐答案

为了将来参考，随着最新的 spring 更新，现在有一个方法 setAllowedOriginPatterns 可以解决这个问题:

For future reference, with the latest spring updates, there's now a method setAllowedOriginPatterns that solves this:

 registry.addEndpoint("/socketendpoint").setAllowedOriginPatterns("*").withSockJS();

这篇关于如何在 Spring 5.3 及更高版本中使用 Stomp 和 SockJS 处理 CORS 起源?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！