我正在尝试使用cors配置来设置我的服务器应用程序。这里的配置,但login
上的任何cors请求将有一个403响应代码:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private final JwtAuthenticationEntryPoint unauthorizedHandler;
@Autowired
public WebSecurityConfig(JwtAuthenticationEntryPoint unauthorizedHandler) {
this.unauthorizedHandler = unauthorizedHandler;
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Collections.singletonList("*"));
configuration.setAllowedMethods(Collections.singletonList("*"));
configuration.setAllowedHeaders(Collections.singletonList("*"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilterBefore(new JwtAuthenticationTokenFilter(), UsernamePasswordAuthenticationFilter.class)
.cors().and()
.exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.csrf().disable()
.antMatcher("/api/**").authorizeRequests()
.antMatchers("/login/**").permitAll()
.anyRequest().authenticated();
}
}
编辑我已经解决了添加另一个配置类并从web安全性中删除bean的问题。
请理解,必须在Spring Boot上配置cors配置,而不是在Spring Security上配置。
我要添加的课程是:
@Configuration
public class CorsConfig implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("*")
.allowedMethods("GET", "POST", "PUT", "DELETE", "HEAD")
.allowedHeaders("*")
.allowCredentials(true);
}
}
WebSecurityConfig已成为:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private final JwtAuthenticationEntryPoint unauthorizedHandler;
@Autowired
public WebSecurityConfig(JwtAuthenticationEntryPoint unauthorizedHandler) {
this.unauthorizedHandler = unauthorizedHandler;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilterBefore(new JwtAuthenticationTokenFilter(), UsernamePasswordAuthenticationFilter.class)
.cors().and()
.exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.csrf().disable()
.antMatcher("/api/**").authorizeRequests()
.antMatchers("/login/**").permitAll()
.anyRequest().authenticated();
}
}
现在所有工作都按预期工作,在所有端点上正确管理cors
试试这个:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilterBefore(new JwtAuthenticationTokenFilter(), UsernamePasswordAuthenticationFilter.class)
.cors().and()
.exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.csrf().disable()
.antMatcher("/api/**").authorizeRequests()
.antMatchers(HttpMethod.OPTIONS,"/login/**").permitAll() // this
.anyRequest().authenticated();
试试这个吧
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**") //or the URLs you would like to add
.allowedMethods("GET", "POST");
}