我正在尝试设置一个与本地spring boot REST应用程序对话的angular 6应用程序.几天后,我终于能够登录,并使用GET请求,这些请求似乎使用了正确的cookie.有2个cookie,一个JSESSION cookie和一个XSRF cookie.问题是我从任何POST请求得到403响应.我非常有信心,我的Spring设置更是一个问题.
以下是相关的Spring Security配置:
@Configuration
public class CORSConfig implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("http://localhost:4200")
.allowCredentials(true)
.allowedHeaders("*")
.allowedMethods("GET", "POST", "*")
.exposedHeaders("Set-Cookie","Authorization");
}
和
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/", "/main", "/user", "/runtime.js","/polyfills.js",
"/main.js", "/styles.js", "/vendor.js").permitAll()
.anyRequest().authenticated()
.and()
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and().sessionManagement().maximumSessions(1).and()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
}
请注意,除了"/ user"之外的antMatchers实际上并未在此设置中使用.这些文件使用ng服务在本地提供.
这是我的角度设置:
@Injectable()
export class AuthenticationInterceptor implements HttpInterceptor{
intercept(req: HttpRequest<any>, next: HttpHandler):
Observable<HttpEvent<any>>
{
const xhr = req.clone({
headers: req.headers.set('X-Requested-With', …