我的服务器在本地主机和我的VPN地址(26.185.15.150)上工作,当我向http://localhost:3500/login/auth发出请求时,我得到正确的响应和cookie。当我向 http://26.185.15.150:3500/login/auth 发出请求时,我没有收到 cookie,但我在标头中收到“set-cookies”,我需要如何解决这个问题? 安全配置
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(authorizeRequests ->
authorizeRequests
.requestMatchers("/login/**", "/v3/**", "/swagger-resources/**", "/swagger-ui.html", "/webjars/**", "/swagger-ui/**").permitAll()
.requestMatchers("/image/**").permitAll()
.requestMatchers("/api/unsecured").permitAll()
.requestMatchers("/api/secured").hasAnyRole("2001", "5320")
.requestMatchers("/api/admin").hasRole("5320")
.requestMatchers("/api/info").authenticated()
)
.sessionManagement(c -> c.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.exceptionHandling(c -> c.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)))
.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
return http.build();
}
@Bean
public CorsFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("http://localhost:5173");
config.addAllowedOrigin("*");
config.addAllowedHeader("Content-Type");
config.addAllowedHeader("Authorization");
config.addAllowedMethod("GET");
config.addAllowedMethod("POST");
config.addAllowedMethod("PUT");
config.addAllowedMethod("DELETE");
source.registerCorsConfiguration("/**", config);
return new CorsFilter(source);
}
我的cookie设置
public void setTokenCookies(HttpServletResponse response, JwtResponse jwtResponse) {
Cookie refreshTokenCookie = new Cookie("jwt", jwtResponse.getJwtRefreshToken());
refreshTokenCookie.setHttpOnly(true);
refreshTokenCookie.setMaxAge((int) jwtRefreshTokenLifetime.toHours());
refreshTokenCookie.setSecure(true);
refreshTokenCookie.setPath("/");
response.addCookie(refreshTokenCookie);
}
我期望我的 http 请求能够正确地使用 IP 地址,就像本地主机一样。
因为 ip 地址不是安全端口,所以 cookie 适用于安全端口或本地主机