我正在将旧项目升级到 Spring 6 和 Tomcat 10。在这种情况下,正常请求可以顺利通过。但这样的要求:
http://localhost:9090/proactive-api/rest/order/fetchOrderLists/gokul//orderListing/////////All/50/0/true
抛出cors错误400错误请求。正常请求是这样的:
http://localhost:9090/proactive-api/rest/ObpartnerInfo/gokul/gokul1
这些请求之间的唯一区别是多个连续的斜杠。
这些请求在 Tomcat 8 和 Spring 5 上运行良好。
这是我在 Spring 6 中的安全配置。
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfiguration {
@Bean
public static SecurityConfig securityConfig() {
return new SecurityConfig();
}
private static final Logger LOG = LogManager.getLogger(SecurityConfig.class.getName());
@Bean
public SecurityFilterChain apiFilterChain(HttpSecurity http,
AuthenticationTokenProcessingFilter authenticationTokenProcessingFilter,
OBOpenIdConnectFilter oBOpenIdConnectFilter, UnauthorizedEntryPoint unauthorizedEntryPoint)
throws Exception {
http.authorizeHttpRequests(authorize -> {
try {
authorize.requestMatchers("/openid-login").permitAll().requestMatchers("/rest/**").permitAll()
.anyRequest().authenticated();
} catch (Exception e) {
LOG.error(e);
e.printStackTrace();
}
}).cors(cors -> cors.configurationSource(this::apiConfigurationSource)).csrf(csrf -> csrf.disable())
.addFilterBefore(authenticationTokenProcessingFilter, UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(oBOpenIdConnectFilter, UsernamePasswordAuthenticationFilter.class)
.exceptionHandling(
exceptionHandling -> exceptionHandling.authenticationEntryPoint(unauthorizedEntryPoint));
return http.build();
}
@Bean
public AuthenticationManager authenticationManager(UserDetailsService mongoDBConnection,
PasswordEncoder passwordEncoder) {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(mongoDBConnection);
authenticationProvider.setPasswordEncoder(passwordEncoder);
return new ProviderManager(authenticationProvider);
}
CorsConfiguration apiConfigurationSource(HttpServletRequest request) {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList(request.getHeader("origin")));
configuration.setExposedHeaders(Arrays.asList("sdpauth, sdprefreshtoken"));
configuration.setAllowedHeaders(Arrays.asList("*", "Content-Type", "Pragma", "Origin", "Authorization", "party",
"X-XSRF-TOKEN", "X-Requested-With", "Access-Control-Allow-Origin", "Access-Control-Allow-Headers",
"Accept", "Access-Control-Allow-Credentials", "X-Auth-Token", "version", "cache"));
configuration.setAllowCredentials(true);
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD"));
return configuration;
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public AuthenticationTokenProcessingFilter authenticationTokenProcessingFilter(UserDetailsService userService) {
return new AuthenticationTokenProcessingFilter(userService);
}
}
我不知道我到底需要做什么改变。在 CORS 配置中,其他正常请求工作正常。
我知道您可能也在研究这个问题,但我想强调的是,理想的做法是更正 URL,使其中不包含双斜杠。
但是,您可以同时配置
HttpFirewall
以允许该模式,如下所示:
@Bean
HttpFirewall httpFirewall() {
StrictHttpFirewall firewall = new StrictHttpFirewall();
firewall.getDecodedUrlBlocklist().remove("//");
return firewall;
}