我已经从 Spring Boot 2.5 升级到 3.1,它附带了 Spring Security 6.1.1。对登录身份验证 REST 服务的调用工作正常,但对需要身份验证令牌的其他 REST 控制器的所有请求都被 CORS 策略阻止。
我已按照 Springs 文档中的说明禁用 CORS,但它不起作用。 https://docs.spring.io/spring-security/reference/reactive/integrations/cors.html#page-title
这是我当前的配置:
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.addAllowedOriginPattern("*");
configuration.setAllowedMethods(Arrays.asList("GET","POST","PUT","PATCH","DELETE","OPTIONS"));
configuration.setAllowCredentials(false);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.cors(cors -> cors.configurationSource(corsConfigurationSource()))
//.cors(cors -> cors.disable()) <<--- does not work as documented
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(request -> request
.requestMatchers("/api/auth/**").permitAll()
.requestMatchers(SYS_ADMIN_PATTERNS).hasAuthority("SYSTEM_ADMIN")
.requestMatchers("/api/v1/**").authenticated()
)
.sessionManagement(manager -> manager.sessionCreationPolicy(STATELESS))
.authenticationProvider(authenticationProvider())
.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
return http.build(); …