Spring Security Logout不适用于Spring 4 CORS [英] Spring Security Logout doesn't work with Spring 4 CORS

问题描述

最近我在 Spring 4 中尝试了新的内置 CORS-Support 。这个功能很棒，我想在我的 Spring Boot / AngularJS 应用程序中实现它。

Recently I tried the new built-in CORS-Support in Spring 4. This feature is great and I want to implement this in my Spring Boot / AngularJS application.

所有请求都正常但我无法注销我的用户，因为 OPTIONS -Request to / logout 由 Spring Security 处理。

All request works fine but I can't logout my user because the OPTIONS-Request to /logout is handled by Spring Security.

是否可以在 Spring之前处理 OPTIONS -Request安全性或者我应该在 LogoutSuccessHandler 中附加 CORS-Headers ？

Is it possible to handle the OPTIONS-Request before Spring Security or should I attach CORS-Headers in LogoutSuccessHandler?

推荐答案

使用Spring Security时，建议使用 CorsFilter 。您需要确保在Spring Security的 FilterChainProxy 之前订购 CorsFilter 。

When working with Spring Security, it is recommended to use CorsFilter. You will want to ensure that you order the CorsFilter before Spring Security's FilterChainProxy.

您可以参考 Spring Data Rest and Cors 有关使用 CorsFilter 的详细信息。对于此问题，您可能只希望注册注销URL。例如：

You can refer to Spring Data Rest and Cors for details on using CorsFilter. For this issue, the difference is likely that you want to register only for the logout URL. For example:

@Bean
public CorsFilter corsFilter() {

    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    CorsConfiguration config = new CorsConfiguration();
    config.setAllowCredentials(true); // you USUALLY want this
    // likely you should limit this to specific origins
    config.addAllowedOrigin("*"); 
    config.addAllowedHeader("*");
    config.addAllowedMethod("GET");
    config.addAllowedMethod("POST");
    config.addAllowedMethod("PUT");
    source.registerCorsConfiguration("/logout", config);
    return new CorsFilter(source);
}

这篇关于Spring Security Logout不适用于Spring 4 CORS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！