CORS过滤无法在“授权”标头中使用

时间:2018-08-25 01:55:22

标签: java spring-mvc spring-security oauth-2.0 angular5

我正在尝试在Spring MVC应用程序中添加OAuth 2.0。用户应该经过身份验证才能获得api调用。我已经在spring mvc控制器中将标头设置为:

@RequestMapping(value = "/admin-api/get-all-order", method = RequestMethod.GET)
    public ResponseEntity getAllOrders(@RequestHeader("Authorization") String bearerToken) {
        try {
            List<OrderModel> order = orderService.getAllOrders();
            return new ResponseEntity(order, HttpStatus.OK);
        } catch (HibernateException e) {
            return new ResponseEntity(e.getMessage(), HttpStatus.BAD_REQUEST);
        }
    }

对于请求api,我使用了angular5。我用angular进行了api调用:

return this.http.get<T>(this.getAllOrderUrl, {
            headers: {
                "Authorization": "bearer " + JSON.parse(localStorage.getItem("token"))["value"],
                "Content-type": "application/json"
            }
        }).catch(error => {
            return this.auth.handleError(error);
        })

enter image description here

我已经为“ localhost:4200”启用了CORS。 CORS过滤可以在其他请求上正常运行。 

@Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {
        HttpServletResponse response = (HttpServletResponse) res;
        HttpServletRequest request = (HttpServletRequest) req;
        response.setHeader("Access-Control-Allow-Origin", "*");
        response.setHeader("Access-Control-Allow-Credentials", "true");
        response.setHeader("Access-Control-Allow-Methods",
                "ACL, CANCELUPLOAD, CHECKIN, CHECKOUT, COPY, DELETE, GET, HEAD, LOCK, MKCALENDAR, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH, PUT, REPORT, SEARCH, UNCHECKOUT, UNLOCK, UPDATE, VERSION-CONTROL");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers",
                "X-PINGOTHER,Content-Type,X-Requested-With,Accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization,Key");

        if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
            response.setStatus(HttpServletResponse.SC_OK);
        } else {
            chain.doFilter(req, res);
        }
    }

如果我在邮递员中尝试过,它会给我带来理想的结果 enter image description here

**响应标题** enter image description here 我究竟做错了什么?请帮帮我。希望得到积极的回应!

1 个答案:

答案 0 :(得分:0)

尝试更改:

    if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
        response.setStatus(HttpServletResponse.SC_OK);
    } else {
        chain.doFilter(req, res);
    }


chain.doFilter(req, res);

响应可以包装起来,并在header中插入更多属性,以确保CORS正常工作。 如果您在此处进行了其他测试,则可能无法正常工作。 您可以尝试一下,并在不起作用的情况下在xml或注释中发布有关CORS配置的更多信息。 希望有帮助。

相关问题
最新问题