如何在 Spring Boot 中更改允许的标头 [英] How to alter allowed headers in Spring Boot

问题描述

我目前正在使用 Auth0(和 Angular 2 GUI)，它将请求中 "x-xsrf-token" 类型的标头发送到 Spring Boot API.

I'm currently using Auth0 (and an Angular 2 GUI), which sends a header of the type "x-xsrf-token" in the request to a Spring Boot API.

我收到错误:

"XMLHttpRequest 无法加载 http://localhost:3001/ping.请求标头Access-Control-Allow-Headers 中不允许字段 x-xsrf-token飞行前响应."

"XMLHttpRequest cannot load http://localhost:3001/ping. Request header field x-xsrf-token is not allowed by Access-Control-Allow-Headers in preflight response."

这很公平，因为响应头中的访问控制响应头列表不包括 x-xsrf-token(在 Chrome 的网络选项卡中调试请求时).

This is fair enough as the list of Access-Control-Response-Headers in Response Headers does not include x-xsrf-token (when debugging the request in the network tab in Chrome).

我尝试了多种解决方案，我认为最接近的是覆盖AppConfig中的configure方法，并添加我自己的CorsFilter，如下所示:

I have tried a number of solutions, the closest I think I have come is to override the configure method in AppConfig, and add in my own CorsFilter, like below:

(Imports removed for brevity)

@Configuration
@EnableWebSecurity(debug = true)
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class AppConfig extends Auth0SecurityConfig {

    @Bean
    public Auth0Client auth0Client() {
        return new Auth0Client(clientId, issuer);
    }

    @Bean
    public Filter corsFilter() {
        UrlBasedCorsConfigurationSource source = new     UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
        config.addAllowedOrigin("*");
        config.addAllowedHeader("Content-Type");
        config.addAllowedHeader("x-xsrf-token");
        config.addAllowedHeader("Authorization");
        config.addAllowedHeader("Access-Control-Allow-Headers");
        config.addAllowedHeader("Origin");
        config.addAllowedHeader("Accept");
        config.addAllowedHeader("X-Requested-With");
        config.addAllowedHeader("Access-Control-Request-Method");
        config.addAllowedHeader("Access-Control-Request-Headers");
        config.addAllowedMethod("OPTIONS");
        config.addAllowedMethod("GET");
        config.addAllowedMethod("PUT");
        config.addAllowedMethod("POST");
        config.addAllowedMethod("DELETE");
        source.registerCorsConfiguration("/**", config);

        return new CorsFilter(source);
    }

    @Override
    protected void authorizeRequests(final HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/ping").permitAll().antMatchers("/").permitAll().anyRequest()
            .authenticated();
    }

    String getAuthorityStrategy() {
        return super.authorityStrategy;
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http.csrf().disable();
        http.addFilterAfter(auth0AuthenticationFilter(auth0AuthenticationEntryPoint()),
            SecurityContextPersistenceFilter.class)
            .addFilterBefore(simpleCORSFilter(), Auth0AuthenticationFilter.class);
        authorizeRequests(http);http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

        http.cors();
        }
    }

不幸的是，我没有成功，并且仍然看到我的 get 请求的响应标头中缺少 x-xsrf-token.

Unfortunately I have had no success with this, and still see the x-xsrf-token missing in the response header of my get request.

我的基础项目是这样的:https://github.com/auth0-samples/auth0-spring-security-api-sample/tree/master/01-Authentication/src/main

My base project is this: https://github.com/auth0-samples/auth0-spring-security-api-sample/tree/master/01-Authentication/src/main

欢迎提出任何想法.

推荐答案

最终我自己解决了这个问题.我在 pom.xml 文件中删除了这个依赖项:

Ultimately I solved this myself. I removed this dependency here in the pom.xml file:

<dependency>
            <groupId>com.auth0</groupId>
            <artifactId>auth0-spring-security-api</artifactId>
            <version>0.3.1</version>
</dependency> 

因为是github上的开源项目，这里https://github.com/auth0/auth0-spring-security-api.我将源代码添加到我自己的项目包中，并将其依赖项添加到我的 pom.xml 文件中.然后我更改了 Auth0CORSFilter 中的 doFilter 方法以包含我的 x-xsrf-token:

because it is an open source project on github, here https://github.com/auth0/auth0-spring-security-api. I added the source code to my project in its own package, and added its dependencies to my pom.xml file. Then I changed the doFilter method in the Auth0CORSFilter to include my x-xsrf-token:

@Override
public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain chain) throws IOException, ServletException {
    final HttpServletResponse response = (HttpServletResponse) res;
    response.setHeader("Access-Control-Allow-Origin", "*");
    response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE");
    response.setHeader("Access-Control-Max-Age", "3600");
    response.setHeader("Access-Control-Allow-Headers", "Authorization, x-xsrf-token, Access-Control-Allow-Headers, Origin, Accept, X-Requested-With, " +
            "Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers");
    chain.doFilter(req, res);
}

不幸的是，如果需要，我现在无法轻松切换版本，我的代码库也稍微有些混乱，但是由于我是 Spring 的新手，这比花费数小时尝试覆盖 Auth0CORSFilter 要容易得多比恩，如果有可能的话.

Unfortunately, I now won't be able to switch versions as easily if I need to, I also have a slightly more cluttered codebase, however as I am new to Spring this was far easier than spending hours trying to override the Auth0CORSFilter Bean, if that was ever possible.

这篇关于如何在 Spring Boot 中更改允许的标头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！