在弹簧安全标签中启用CORS

时间:2018-05-29 17:03:17

标签: java spring spring-mvc spring-security token

如何在Spring Security标签中启用CORS,即在令牌网址中启用CORS。我使用的是spring security 3.1和spring mvc 4.3.12。我已成功生成令牌以保护API,但无法在令牌网址中启用CORS。  我使用以下代码生成访问令牌

弹簧security.xml文件 

<http pattern="/oauth/token" create-session="stateless"  
          authentication-manager-ref="clientAuthenticationManager"  
          xmlns="http://www.springframework.org/schema/security">  
        <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />  
        <anonymous enabled="false" />  
        <http-basic entry-point-ref="clientAuthenticationEntryPoint" />  
        <!-- include this only if you need to authenticate clients via request   
        parameters -->  
        <custom-filter ref="clientCredentialsTokenEndpointFilter"  
                       after="BASIC_AUTH_FILTER" />  
        <access-denied-handler ref="oauthAccessDeniedHandler" />  
    </http>

这就是我启用CORS但不起作用的方式

调度-servlet.xml中 

<mvc:cors>
        <mvc:mapping path="/oauth/token" allowed-origins="http://localhost:4200"
                     allowed-methods="GET" allowed-headers="Access-Control-Allow-Origin" />
    </mvc:cors>

这是我得到的错误

  

登录:1无法加载   http://localhost:8080/M.S.-Handloom-Fabrics/oauth/token?grant_type=password&client_id=restapp&client_secret=restapp&username=nishan&password=nishan:   No&#39; Access-Control-Allow-Origin&#39;标题出现在请求的上   资源。起源&#39; http://localhost:4200&#39;因此是不允许的   访问。响应的HTTP状态代码为400。

1 个答案:

答案 0 :(得分:0)

对于此错误,您必须创建如下所示的新类。 private String corsFilter="*";当你提供*它将允许一切。希望它会帮助你。

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class CorsFilter implements Filter {

    private String corsFilter="*";

    public CorsFilter() {
    }

    @Override
    public void doFilter(final ServletRequest req, final ServletResponse res,
            final FilterChain chain) throws IOException, ServletException {

        final HttpServletResponse response = (HttpServletResponse) res;
        final HttpServletRequest request = (HttpServletRequest) req;
        response.setHeader("Access-Control-Allow-Origin", corsFilter);
        response.setHeader("Access-Control-Allow-Credentials", "true");
        response.setHeader("Access-Control-Allow-Methods",
                "POST,  GET, PUT, OPTIONS, PATCH ,DELETE");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", " Content-Type, Authorization");

        if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
            response.setStatus(HttpServletResponse.SC_OK);
        } else {
            chain.doFilter(req, res);
        }
    }

    @Override
    public void init(final FilterConfig filterConfig) {
    }

    @Override
    public void destroy() {
    }
}
相关问题
最新问题