如何更改 Spring Boot 中允许的标头

Question

我目前正在使用 Auth0（和 Angular 2 GUI），它将"x-xsrf-token"请求中类型的标头发送到 Spring Boot API。

我收到错误：

“XMLHttpRequest 无法加载http://localhost:3001/ping。预检响应中的 Access-Control-Allow-Headers 不允许请求标头字段 x-xsrf-token。”

这很公平，因为响应标头中的访问控制响应标头列表不包括x-xsrf-token（在 Chrome 的网络选项卡中调试请求时）。

我尝试了多种解决方案，我认为最接近的解决方案是覆盖 中的配置方法AppConfig，并添加我自己的方法CorsFilter，如下所示：

(Imports removed for brevity)

@Configuration
@EnableWebSecurity(debug = true)
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class AppConfig extends Auth0SecurityConfig {

    @Bean
    public Auth0Client auth0Client() {
        return new Auth0Client(clientId, issuer);
    }

    @Bean
    public Filter corsFilter() {
        UrlBasedCorsConfigurationSource source = new     UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
        config.addAllowedOrigin("*");
        config.addAllowedHeader("Content-Type");
        config.addAllowedHeader("x-xsrf-token");
        config.addAllowedHeader("Authorization");
        config.addAllowedHeader("Access-Control-Allow-Headers");
        config.addAllowedHeader("Origin");
        config.addAllowedHeader("Accept");
        config.addAllowedHeader("X-Requested-With");
        config.addAllowedHeader("Access-Control-Request-Method");
        config.addAllowedHeader("Access-Control-Request-Headers");
        config.addAllowedMethod("OPTIONS");
        config.addAllowedMethod("GET");
        config.addAllowedMethod("PUT");
        config.addAllowedMethod("POST");
        config.addAllowedMethod("DELETE");
        source.registerCorsConfiguration("/**", config);

        return new CorsFilter(source);
    }

    @Override
    protected void authorizeRequests(final HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/ping").permitAll().antMatchers("/").permitAll().anyRequest()
            .authenticated();
    }

    String getAuthorityStrategy() {
        return super.authorityStrategy;
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http.csrf().disable();
        http.addFilterAfter(auth0AuthenticationFilter(auth0AuthenticationEntryPoint()),
            SecurityContextPersistenceFilter.class)
            .addFilterBefore(simpleCORSFilter(), Auth0AuthenticationFilter.class);
        authorizeRequests(http);http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

        http.cors();
        }
    }

不幸的是，我没有成功，并且仍然x-xsrf-token在我的获取请求的响应标头中看到缺失的内容。

我的基本项目是这样的： https://github.com/auth0-samples/auth0-spring-security-api-sample/tree/master/01-Authentication/src/main

任何想法都会受到欢迎。

Answer 1

尝试，

@Bean
    public FilterRegistrationBean corsFilter() {
        UrlBasedCorsConfigurationSource source = new     UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
        config.addAllowedOrigin("*");

        config.addAllowedHeader("*");       
        config.addAllowedMethod("*");        
        source.registerCorsConfiguration("/**", config);



        FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
        bean.setOrder(0);
        return bean;


    }

https://spring.io/blog/2015/06/08/cors-support-in-spring-framework