Spring Lemon:缺少响应头Set-Cookie和X-XSRF-TOKEN

时间:2019-01-06 09:50:23

标签: spring-boot cors request-headers spring-lemon

对于我当前的项目,我使用带有1.0.0.RC1版本的Spring Lemon库。当我发出/ api / core / context请求时,没有得到Set-Cookie和X-XSRF-TOKEN标头。

对于我的早期项目,我使用Spring Lemon 0.9.0,它可以完美工作,在上下文请求之后,我可以设置这些参数并发出更多请求。现在无法获取它们,如果我发出除/ context或/ ping之外的任何请求,则会收到“无效的CORS请求”作为响应。

我的代码就像这里的示例项目:https://github.com/naturalprogrammer/spring-lemon/wiki/Getting-Started-With-Spring-Lemon,但有两个更改:

  1. 我使用application.properties而不是yml。 (稍后,我希望将其放在包之外,@PropertySource仅适用于.properties。)
  2. 我用战争包装代替罐子。我将其部署到Apache Tomcat中。因此,在application.properties中,我将lemon.cors.allowed-origins: http://localhost:9000更改为lemon.cors.allowed-origins: http://localhost:8080

在上下文请求后登录:

2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 4 of 14 in additional filter chain; firing Filter: 'CorsFilter'
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 5 of 14 in additional filter chain; firing Filter: 'OAuth2AuthorizationRequestRedirectFilter'
2019-01-06 10:44:41 DEBUG AntPathRequestMatcher:176 - Checking match of request : '/api/core/context'; against '/oauth2/authorization/{registrationId}'
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 6 of 14 in additional filter chain; firing Filter: 'OAuth2LoginAuthenticationFilter'
2019-01-06 10:44:41 DEBUG AndRequestMatcher:66 - Trying to match using Ant [pattern='/login/oauth2/code/*']
2019-01-06 10:44:41 DEBUG AntPathRequestMatcher:176 - Checking match of request : '/api/core/context'; against '/login/oauth2/code/*'
2019-01-06 10:44:41 DEBUG AndRequestMatcher:69 - Did not match
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 7 of 14 in additional filter chain; firing Filter: 'LemonJpaTokenAuthenticationFilter'
2019-01-06 10:44:41 DEBUG LemonCommonsWebTokenAuthenticationFilter:42 - Inside LemonTokenAuthenticationFilter ...
2019-01-06 10:44:41 DEBUG LemonCommonsWebTokenAuthenticationFilter:70 - Token authentication skipped
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 8 of 14 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2019-01-06 10:44:41 DEBUG AntPathRequestMatcher:156 - Request 'GET /api/core/context' doesn't match 'POST /api/core/login'
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 9 of 14 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 10 of 14 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 11 of 14 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2019-01-06 10:44:41 DEBUG AnonymousAuthenticationFilter:100 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@8a1370cd: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 12 of 14 in additional filter chain; firing Filter: 'SessionManagementFilter'
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 13 of 14 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 14 of 14 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2019-01-06 10:44:41 DEBUG RequestMappingHandlerMapping:420 - Mapped to public java.util.Map<java.lang.String, java.lang.Object> com.naturalprogrammer.spring.lemon.LemonController.getContext(java.util.Optional<java.lang.Long>,javax.servlet.http.HttpServletResponse)
2019-01-06 10:44:41 DEBUG FilterSecurityInterceptor:219 - Secure object: FilterInvocation: URL: /api/core/context; Attributes: [permitAll]
2019-01-06 10:44:41 DEBUG FilterSecurityInterceptor:348 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@8a1370cd: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2019-01-06 10:44:41 DEBUG AffirmativeBased:66 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@33757a2b, returned: 1
2019-01-06 10:44:41 DEBUG FilterSecurityInterceptor:243 - Authorization successful
2019-01-06 10:44:41 DEBUG FilterSecurityInterceptor:256 - RunAsManager did not change Authentication object
2019-01-06 10:44:41 DEBUG FilterChainProxy:313 - /api/core/context reached end of additional filter chain; proceeding with original chain
2019-01-06 10:44:41 DEBUG DispatcherServlet:90 - GET "/CSGOStats/api/core/context", parameters={}
2019-01-06 10:44:41 DEBUG RequestMappingHandlerMapping:420 - Mapped to public java.util.Map<java.lang.String, java.lang.Object> com.naturalprogrammer.spring.lemon.LemonController.getContext(java.util.Optional<java.lang.Long>,javax.servlet.http.HttpServletResponse)
2019-01-06 10:44:41 DEBUG OpenEntityManagerInViewInterceptor:86 - Opening JPA EntityManager in OpenEntityManagerInViewInterceptor
2019-01-06 10:44:41 DEBUG LemonController:84 - Getting context 
2019-01-06 10:44:41 DEBUG JpaTransactionManager:355 - Found thread-bound EntityManager [SessionImpl(631661686<open>)] for JPA transaction
2019-01-06 10:44:41 DEBUG LemonService:179 - Getting context ...
2019-01-06 10:44:41 DEBUG LemonController:86 - Returning context: {context={reCaptchaSiteKey=6LdwxRcUAAAAABkhOGWQXhl9FsR27D5YUJRuGzx0, shared={foobar=123...}}, user=null}
2019-01-06 10:44:41 DEBUG RequestResponseBodyMethodProcessor:267 - Using 'application/json;q=0.8', given [text/html, application/xhtml+xml, image/webp, image/apng, application/xml;q=0.9, */*;q=0.8] and supported [application/json, application/*+json, application/json, application/*+json]
2019-01-06 10:44:41 DEBUG RequestResponseBodyMethodProcessor:90 - Writing [{context={reCaptchaSiteKey=6LdwxRcUAAAAABkhOGWQXhl9FsR27D5YUJRuGzx0, shared={foobar=123...}}, user=null}]
2019-01-06 10:44:41 DEBUG HstsHeaderWriter:129 - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@47453fa7
2019-01-06 10:44:41 DEBUG OpenEntityManagerInViewInterceptor:111 - Closing JPA EntityManager in OpenEntityManagerInViewInterceptor
2019-01-06 10:44:41 DEBUG EntityManagerFactoryUtils:418 - Closing JPA EntityManager
2019-01-06 10:44:41 DEBUG DispatcherServlet:1130 - Completed 200 OK
2019-01-06 10:44:41 DEBUG ExceptionTranslationFilter:121 - Chain processed normally
2019-01-06 10:44:41 DEBUG SecurityContextPersistenceFilter:119 - SecurityContextHolder now cleared, as request processing completed

我想念什么?预先感谢!

1 个答案:

答案 0 :(得分:1)

0.9.0之后,Spring Lemon被更改为无状态。换句话说,现在每个经过身份验证的请求都将带有一个Authorization令牌,从而消除了CSRF保护的需要。因此,为简单起见,人们认为禁用CSRF。

如果仍然需要启用CSRF,则可以扩展LemonJpaSecurityConfig并覆盖csrf方法。您可能还需要更多自定义-我不确定到底是什么。

CORS是一个不同的问题,我不知道可能是什么原因。

相关问题
最新问题