tzo*_*zik 2 spring spring-security cors vue.js angular
我检查了很多资源,试图找到适合我的问题的解决方案。从我的角度来看,我认为我已经具备了所需的一切,但我无法弄清楚问题出在哪里。
我正在将spring 5与具有功能端点的WebFlux结合使用
当我从 vuejs 前端发送 GET 请求时,我得到以下信息:
Failed to load http://localhost:8080/test: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8081' is therefore not allowed access. The response had HTTP status code 401.
这是请求:
OPTIONS /test HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: GET
Origin: http://localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Access-Control-Request-Headers: authorization
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,ro;q=0.8
我的 Spring 安全配置
@Bean
public SecurityWebFilterChain securityWebFilterChain(
ServerHttpSecurity http) {
return http
.authorizeExchange()
.pathMatchers("/users/authenticate").permitAll()
.anyExchange()
.authenticated()
.and()
.httpBasic()
.and()
.build();
}
我尝试了几种不同的方法,这是最后两种:
1.
private static final List<String> ALLOWED_HEADERS = Arrays.asList(
"x-requested-with",
"authorization",
"Content-Type",
"Authorization",
"credential",
"X-XSRF-TOKEN",
"Access-Control-Allow-Origin",
"Access-Control-Allow-Methods",
"Access-Control-Allow-Headers",
"Access-Control-Max-Age",
"Access-Control-Request-Headers",
"Access-Control-Request-Method");
private static final List<String> ALLOWED_METHODS = Arrays.asList("GET", "PUT", "POST", "DELETE", "OPTIONS");
private static final String ALLOWED_ORIGIN = "*";
private static final String MAX_AGE = "3600";
@Bean
CorsWebFilter corsWebFilter() {
CorsConfiguration corsConfig = new CorsConfiguration();
corsConfig.setAllowedOrigins(Collections.singletonList(ALLOWED_ORIGIN));
corsConfig.setMaxAge(Long.valueOf(MAX_AGE));
corsConfig.setAllowedMethods(ALLOWED_METHODS);
corsConfig.setAllowedHeaders(ALLOWED_HEADERS);
UrlBasedCorsConfigurationSource source =
new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", corsConfig);
return new CorsWebFilter(source);
}
2.
@Configuration
public class WebFluxSecurity implements WebFluxConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("*")
.allowedMethods("*")
.allowedHeaders("*")
.exposedHeaders("Access-Control-Allow-Origin",
"Access-Control-Allow-Methods",
"Access-Control-Allow-Headers",
"Access-Control-Max-Age",
"Access-Control-Request-Headers",
"Access-Control-Request-Method")
.maxAge(3600);
// Add more mappings...
}
}
为什么这不起作用?
看来问题实际上并不是cors配置的问题。
与此同时,我采取了一些不同的做法。
@Bean
public SecurityWebFilterChain securityWebFilterChain(
ServerHttpSecurity http) {
return http
.authorizeExchange()
.pathMatchers(HttpMethod.OPTIONS).permitAll()
.anyExchange()
.authenticated()
.and()
.httpBasic()
.and()
.build();
}
问题出在 spring security 配置上。我只允许所有请求,/users/authenticate 而不是允许所有OPTIONS方法。
我当前的cors配置是:
@Bean
CorsWebFilter corsFilter() {
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", config);
return new CorsWebFilter(source);
}
| 归档时间: |
|
| 查看次数: |
770 次 |
| 最近记录: |