禁用Spring Security for OPTIONS Http Method [英] Disable Spring Security for OPTIONS Http Method

问题描述

是否可以针对某种HTTP方法禁用Spring Security？

Is it possible to disable Spring Security for a type of HTTP Method?

我们有一个Spring REST应用程序，其服务需要在http请求的标头中附加授权令牌。我正在为它编写一个JS客户端，并使用JQuery发送GET / POST请求。该应用程序使用此过滤器代码启用CORS。

We have a Spring REST application with services that require Authorization token to be attached in the header of http request. I am writing a JS client for it and using JQuery to send the GET/POST requests. The application is CORS enabled with this filter code.

doFilter(....) {

  HttpServletResponse httpResp = (HttpServletResponse) response;
  httpResp.setHeader("Access-Control-Allow-Origin", "*");
  httpResp.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
  httpResp.setHeader("Access-Control-Max-Age", "3600");
  Enumeration<String> headersEnum = ((HttpServletRequest) request).getHeaders("Access-Control-Request-Headers");
  StringBuilder headers = new StringBuilder();
  String delim = "";
  while (headersEnum.hasMoreElements()) {
    headers.append(delim).append(headersEnum.nextElement());
    delim = ", ";
  }
  httpResp.setHeader("Access-Control-Allow-Headers", headers.toString());
}

但是当JQuery发送对CORS的OPTIONS请求时，服务器会响应授权令牌失败。显然OPTIONS请求缺少授权令牌。那么可以让OPTIONS从Spring安全配置中逃脱安全层吗？

But when JQuery sends in the OPTIONS request for CORS, the server responds with Authorization Failed token. Clearly the OPTIONS request, lacks Authorization token. So is it possible to let the OPTIONS escape the Security Layer from the Spring Security Configuration?

推荐答案

你试过这个吗？

您可以使用多个元素为不同的URL集定义不同的
访问要求，但它们将在
中进行评估。列出的订单和第一场比赛将被使用。所以你
必须把最具体的比赛放在最上面。您还可以添加
方法属性来限制与特定HTTP方法的匹配（GET，
POST，PUT等）。

You can use multiple elements to define different access requirements for different sets of URLs, but they will be evaluated in the order listed and the first match will be used. So you must put the most specific matches at the top. You can also add a method attribute to limit the match to a particular HTTP method (GET, POST, PUT etc.).

<http auto-config="true">
    <intercept-url pattern="/client/edit" access="isAuthenticated" method="GET" />
    <intercept-url pattern="/client/edit" access="hasRole('EDITOR')" method="POST" />
</http>

以上意味着您需要选择要截取的网址格式以及您想要的方法

Above means you need to select the url pattern to intercept and what methods you want

这篇关于禁用Spring Security for OPTIONS Http Method的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！