我已经按照以下步骤设置了Cros,用于具有弹簧安全性的Spring Boot应用程序。具有Spring安全性和jwt令牌的Spring-boot应用程序。
我正在使用其他域的api,所以我在所有控制器上使用交叉源。
所有不需要auth令牌(JWT)的api调用在以下配置下都可以正常工作。但是所需的jwt令牌所用的api调用失败,并出现以下错误。
我正在尝试添加过滤器,但无法正常工作。有人可以帮我吗
谢谢。
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
@Import(SecurityProblemSupport.class)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final AuthenticationManagerBuilder authenticationManagerBuilder;
private final DomainUserDetailsService userDetailsService;
private final TokenProvider tokenProvider;
// private final CorsFilter corsFilter;
private final SecurityProblemSupport problemSupport;
@Autowired
public SecurityConfig(AuthenticationManagerBuilder authenticationManagerBuilder, DomainUserDetailsService userDetailsService, TokenProvider tokenProvider, SecurityProblemSupport problemSupport) {
this.authenticationManagerBuilder = authenticationManagerBuilder;
this.userDetailsService = userDetailsService;
this.tokenProvider = tokenProvider;
// this.corsFilter = corsFilter;
this.problemSupport = problemSupport;
}
@PostConstruct
public void init() {
try {
authenticationManagerBuilder.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
} catch (Exception e) {
throw new BeanInitializationException("Security configuration failed", e);
}
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().disable().csrf().ignoringAntMatchers("/api/**", "/reports/**", "/utils/**").and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests()
.antMatchers("/", "/*.html", "/**/*.js", "/**/*.png", "/**/*.css", "/**/*.woff2", "/**/*.woff",
"/**/*.ico", "/**/*.ttf", "/**/*.jpg")
.permitAll().antMatchers("/api/auth/**", "/api/util/**", "/api/feed/getJobs", // feed can be seen
// without auth
"/api/user/user-details/**", // user details can be seen without auth
"/v2/api-docs/**", "/actuators/**", "/api-docs/**", "/utils/**")
.permitAll().anyRequest().authenticated().and().apply(securityConfigurerAdapter()).and()
// handle an authorized attempts
.exceptionHandling()
.authenticationEntryPoint((req, rsp, e) -> rsp.sendError(HttpServletResponse.SC_UNAUTHORIZED));
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder() {
return PasswordEncoderFactories.createDelegatingPasswordEncoder();
}
@Bean
public CorsFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.addAllowedMethod("OPTIONS");
config.addAllowedMethod("GET");
config.addAllowedMethod("POST");
config.addAllowedMethod("PUT");
config.addAllowedMethod("DELETE");
source.registerCorsConfiguration("/**", config);
return new CorsFilter(source);
}
private JWTConfigurer securityConfigurerAdapter() {
return new JWTConfigurer(tokenProvider, userDetailsService);
}
没有jwt的GET,POST,PUT,DELETE api调用正在工作。
使用JWT的API调用无法正常工作,出现以下错误
Access to XMLHttpRequest at 'http://localhost:8082/api/feed/posted-by-me' from origin 'http://localhost:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
有人可以告诉我我在做什么错吗?
我在前端使用Angular 9来调用API。
问题是我在上述类上使用的过滤器无法正常工作。因此我创建了如下所示的新过滤器类,然后它按预期方式开始工作。
package com.happyconnects.web.api.config;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class CORSFilter implements Filter {
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Origin", request.getHeader("Origin"));
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "Content-Type, Accept, X-Requested-With, Authorization, Cache-control, remember-me");
chain.doFilter(req, res);
}
@Override
public void init(FilterConfig filterConfig) {
}
@Override
public void destroy() {
}
}