那些遇到过的问题

Spring Security身份验证跨域使用Cookie与Authorization标头

Sam*_*Sam 10 cookies spring-security spring-boot vuejs2

我使用Spring Security来验证我的REST API.身份验证工作正常,Spring Security返回一个令牌Set-Cookie.该rememberMe功能已打开,并在cookie中返回相同的内容.

当我发出后续请求时,除非我在Authorization标题中发送用户名/密码,否则身份验证将失败,而当我在邮递员中测试时,它会起作用.我看到它JSESSIONID在请求中添加了cookie.

由于cookie是Http-Onlycookie,我不认为我可以在我的JavaScript函数中读取它们.

那么我该如何验证用户?我假设如果服务器返回一个cookie set-cookie,浏览器应该自动为每个请求附加它.

登录客户端请求:

context.$http.get(url, {
    headers:
    {
      'Access-Control-Allow-Origin': '*',
      'Access-Control-Allow-Methods': 'GET,PUT,POST,DELETE',
      'Authorization': auth
    }
  }
Run Code Online (Sandbox Code Playgroud)

请求标头:

Accept:*/*
Accept-Encoding:gzip, deflate, br
Accept-Language:en-GB,en;q=0.8,fr;q=0.6,en-US;q=0.4
Access-Control-Request-Headers:access-control-allow-methods,access-control-allow-origin,authorization
Access-Control-Request-Method:GET
Connection:keep-alive
DNT:1
Host:localhost:9000
Origin:http://localhost:8080
Referer:http://localhost:8080/login?redirect=%2F
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Run Code Online (Sandbox Code Playgroud)

响应标头:

Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://localhost:8080
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:13
Content-Type:application/json;charset=UTF-8
Date:Fri, 18 Aug 2017 05:40:55 GMT
Expires:0
Pragma:no-cache
Set-Cookie:remember-me=dTVTMi94dnVkQzJtYXRFYmJkR1VKZz09OjA1T1F4RXVOV0RiTEx4VFdUSVByeGc9PQ; Max-Age=86400; Expires=Sat, 19-Aug-2017 05:40:55 GMT; Path=/; Secure; HttpOnly
Set-Cookie:JSESSIONID=4A856E0216191E8601100B600E4A227B; Path=/; HttpOnly
Vary:Origin
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
Run Code Online (Sandbox Code Playgroud)

后续获取数据的请求:

this.$http.get(url).then(function (res) {
          this.items = res.data
        })
Run Code Online (Sandbox Code Playgroud)

客户要求:

Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate, br
Accept-Language:en-GB,en;q=0.8,fr;q=0.6,en-US;q=0.4
Connection:keep-alive
DNT:1
Host:localhost:9000
Origin:http://localhost:8080
Referer:http://localhost:8080/Languages
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Run Code Online (Sandbox Code Playgroud)

服务器响应:

HTTP/1.1 401
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Access-Control-Allow-Origin: http://localhost:8080
Vary: Origin
Access-Control-Allow-Credentials: true
WWW-Authenticate: Basic realm="Realm"
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 18 Aug 2017 05:43:26 GMT

{timestamp: 1503038407254, status: 401, error: "Unauthorized",…}
error :
"Unauthorized"
message:"Full authentication is required to access this resource"
path:"/languages"
status:401
timestamp:1503038407254
Run Code Online (Sandbox Code Playgroud)

添加withCredentials : true:

GET /languages HTTP/1.1
Host: 192.168.16.142:12345
Connection: keep-alive
Access-Control-Allow-Origin: *
Accept: application/json, text/plain, */*
Origin: http://localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Access-Control-Allow-Methods: GET,PUT,POST,DELETE
DNT: 1
Referer: http://localhost:8080/languages
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en;q=0.8,fr;q=0.6,en-US;q=0.4
Run Code Online (Sandbox Code Playgroud)

响应:

Access-Control-Allow-Origin:*
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Type:application/json;charset=UTF-8
Date:Mon, 21 Aug 2017 06:26:24 GMT
Expires:0
Pragma:no-cache
Transfer-Encoding:chunked
Vary:Origin
WWW-Authenticate:Basic realm="Realm"
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
Run Code Online (Sandbox Code Playgroud)

仅供参考:我在前端使用vuejs.

New*_*bie 7

仔细查看您的响应/请求流后,您将发出从端口8080到端口9000的请求,这些请求会触发同源策略(CORS)规则.默认情况下,CORS请求不会发送凭据/ cookie,如下面的链接所示.要启用凭据/ cookie传播,您需要在AJAX调用中设置"withCredentials"标志.

而且,看起来你正在使用vuejs.要启用withcredentials,您需要使用以下设置.

Vue.http.options.credentials = true;
Run Code Online (Sandbox Code Playgroud)

MDN - 凭证申请

归档时间:

查看次数:

3246 次

最近记录:

8 年,6 月 前
相关归档
spring security自定义注销处理程序 21
负载均衡器没有可用于客户端的服务器 18
Spring Api-网关:(M1)java.lang.UnsatisfiedLinkError:无 netty_resolver_dns_native_macos_aarch_64 18
在移动会话中模拟会话cookie? 16
H2数据库控制台spring boot X-Frame-Options拒绝加载 15
由于缺少ReactiveWebServerFactory bean,无法启动ReactiveWebApplicationContext 13
如何在加载 Spring 测试上下文之前*在 Junit 5 中获取回调? 8
Spring引导REST令牌授权和身份验证最佳实践 6
vue-chartjs 中的水平滚动 6
Spring嵌入式LDAP与LdapTemplate 3
难疑归档
URI,URL和URN有什么区别? 4217
关闭/隐藏Android软键盘 3641
如何将某些内容附加到数组中? 2895
"git add -A"和"git add"之间的区别. 2788
如何禁用textarea的resizable属性? 2541
何时在CSS中使用margin和padding 2277
深度克隆对象 2135
按值复制数组 1638
迭代集合,在循环中删除对象时避免使用ConcurrentModificationException 1158
按列名从pandas DataFrame中删除列 1136