如何在Spring Boot

时间:2016-10-23 12:28:49

标签: java spring auth0

我目前正在使用Auth0(和Angular 2 GUI),它将请求中类型为"x-xsrf-token"的标头发送到Spring Boot API。

我收到错误:

  

“XMLHttpRequest无法加载http://localhost:3001/ping。请求标头   Access-Control-Allow-Headers中不允许使用字段x-xsrf-token   飞行前响应。“

这很公平,因为响应标头中的访问控制响应标头列表不包括x-xsrf-token(在Chrome中的网络选项卡中调试请求时)。

我尝试了很多解决方案,我认为我最接近的是覆盖AppConfig中的配置方法,并添加我自己的CorsFilter,如下所示:

(Imports removed for brevity)

@Configuration
@EnableWebSecurity(debug = true)
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class AppConfig extends Auth0SecurityConfig {

    @Bean
    public Auth0Client auth0Client() {
        return new Auth0Client(clientId, issuer);
    }

    @Bean
    public Filter corsFilter() {
        UrlBasedCorsConfigurationSource source = new     UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
        config.addAllowedOrigin("*");
        config.addAllowedHeader("Content-Type");
        config.addAllowedHeader("x-xsrf-token");
        config.addAllowedHeader("Authorization");
        config.addAllowedHeader("Access-Control-Allow-Headers");
        config.addAllowedHeader("Origin");
        config.addAllowedHeader("Accept");
        config.addAllowedHeader("X-Requested-With");
        config.addAllowedHeader("Access-Control-Request-Method");
        config.addAllowedHeader("Access-Control-Request-Headers");
        config.addAllowedMethod("OPTIONS");
        config.addAllowedMethod("GET");
        config.addAllowedMethod("PUT");
        config.addAllowedMethod("POST");
        config.addAllowedMethod("DELETE");
        source.registerCorsConfiguration("/**", config);

        return new CorsFilter(source);
    }

    @Override
    protected void authorizeRequests(final HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/ping").permitAll().antMatchers("/").permitAll().anyRequest()
            .authenticated();
    }

    String getAuthorityStrategy() {
        return super.authorityStrategy;
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http.csrf().disable();
        http.addFilterAfter(auth0AuthenticationFilter(auth0AuthenticationEntryPoint()),
            SecurityContextPersistenceFilter.class)
            .addFilterBefore(simpleCORSFilter(), Auth0AuthenticationFilter.class);
        authorizeRequests(http);http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

        http.cors();
        }
    }

不幸的是,我没有成功,仍然看到我的获取请求的响应标题中缺少x-xsrf-token

我的基础项目是这样的: https://github.com/auth0-samples/auth0-spring-security-api-sample/tree/master/01-Authentication/src/main

欢迎任何想法。

3 个答案:

答案 0 :(得分:1)

相信这已经在你发布的here问题上进行了讨论,但认为值得在SOF上回复,因为你也提出了这个问题。

您可以做的是修改AppConfig以覆盖default library config的CORS过滤器设置,并使用您自己更新的CORS Filter implementation

我认为在您的情况下,这可能只是将 x-xsrf-token 附加到此行:

response.setHeader("Access-Control-Allow-Headers", "Authorization, Access-Control-Allow-Headers, Origin, Accept, X-Requested-With, " +
                "Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers");

但是,正如我在github问题(上面链接)中所述,如果您将您的HAR文件发送给我,我可以验证这是肯定的情况并为您提供可行的解决方案。

答案 1 :(得分:0)

试,

@Bean
    public FilterRegistrationBean corsFilter() {
        UrlBasedCorsConfigurationSource source = new     UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
        config.addAllowedOrigin("*");

        config.addAllowedHeader("*");       
        config.addAllowedMethod("*");        
        source.registerCorsConfiguration("/**", config);



        FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
        bean.setOrder(0);
        return bean;


    }

https://spring.io/blog/2015/06/08/cors-support-in-spring-framework

答案 2 :(得分:0)

最终我自己解决了这个问题。我在pom.xml文件中删除了这个依赖项:

<dependency>
            <groupId>com.auth0</groupId>
            <artifactId>auth0-spring-security-api</artifactId>
            <version>0.3.1</version>
</dependency>

因为它是github上的一个开源项目,这里是https://github.com/auth0/auth0-spring-security-api。我在自己的包中将源代码添加到我的项目中,并将其依赖项添加到我的pom.xml文件中。然后我更改了Auth0CORSFilter中的doFilter方法以包含我的x-xsrf-token:

@Override
public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain chain) throws IOException, ServletException {
    final HttpServletResponse response = (HttpServletResponse) res;
    response.setHeader("Access-Control-Allow-Origin", "*");
    response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE");
    response.setHeader("Access-Control-Max-Age", "3600");
    response.setHeader("Access-Control-Allow-Headers", "Authorization, x-xsrf-token, Access-Control-Allow-Headers, Origin, Accept, X-Requested-With, " +
            "Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers");
    chain.doFilter(req, res);
}

不幸的是,如果我需要,我现在无法轻松切换版本,我也有一个稍微混乱的代码库,但是因为我是Spring的新手,这比花费数小时试图覆盖要容易得多Auth0CORSFilter Bean,如果可能的话。

相关问题
最新问题