我在Angluar 8应用程序中遇到CORS错误问题。
我从服务器收到状态为200和有效JWT令牌的响应,我认为这意味着服务器已正确配置,但在控制台中仍然出现错误:
Access to XMLHttpRequest at 'http://localhost:8080/login' from origin 'http://localhost:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Angular应用正在本地计算机上的端口4200上运行
该服务器是我自己的具有安全性的Spring Boot应用程序,也可以在端口8080上本地运行
我已经实现了自定义安全过滤器来处理CORS:
@Component
public class CorsFilter implements Filter {
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) servletResponse;
response.setHeader("Access-Control-Allow-Origin", "http://localhost:4200");
response.setHeader("Access-Control-Allow-Methods", "GET,POST,DELETE,PUT,OPTIONS");
response.setHeader("Access-Control-Allow-Headers", "*");
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Max-Age", "180");
filterChain.doFilter(servletRequest, servletResponse);
}
}
并添加到“安全性”配置中:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final RestAuthenticationSuccessHandler authenticationSuccessHandler;
private final RestAuthenticationFailureHandler authenticationFailureHandler;
private final CustomUserDetailsService userDetailsService;
private final String secret;
private final TenantFilter tenantFilter;
private final CorsFilter corsFilter;
private final UserTenantRelationRepository userTenantRelationRepository;
@Autowired
public SecurityConfig(RestAuthenticationSuccessHandler authenticationSuccessHandler,
RestAuthenticationFailureHandler authenticationFailureHandler,
CustomUserDetailsService userDetailsService,
@Value("${jwt.secret}") String secret, TenantFilter tenantFilter, CorsFilter corsFilter, UserTenantRelationRepository userTenantRelationRepository) {
this.authenticationSuccessHandler = authenticationSuccessHandler;
this.authenticationFailureHandler = authenticationFailureHandler;
this.userDetailsService = userDetailsService;
this.secret = secret;
this.tenantFilter = tenantFilter;
this.corsFilter = corsFilter;
this.userTenantRelationRepository = userTenantRelationRepository;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilterBefore(corsFilter, SessionManagementFilter.class)
.addFilterBefore(tenantFilter, BasicAuthenticationFilter.class)
.csrf().disable()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/register").permitAll()
.anyRequest().authenticated()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.addFilter(authenticationFilter(userTenantRelationRepository))
.addFilter(new JwtAuthorizationFilter(authenticationManager(), userDetailsService, secret))
.exceptionHandling()
.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
}
如前所述,我收到响应200和有效的JWT令牌,因此对此感到非常困惑。
编辑
好,所以我已经读到了您提到的预检请求,并修复了我的过滤器来处理此请求。
现在看起来像这样:
@Component
public class CorsFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "authorization, content-type, xsrf-token");
response.addHeader("Access-Control-Expose-Headers", "xsrf-token");
if ("OPTIONS".equals(request.getMethod())) {
response.setStatus(HttpServletResponse.SC_OK);
} else {
filterChain.doFilter(request, response);
}
}
}
现在配置为:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilterBefore(corsFilter, ChannelProcessingFilter.class)
.addFilterBefore(tenantFilter, BasicAuthenticationFilter.class)
.csrf().disable()
.anonymous().disable()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/register").permitAll()
.anyRequest().authenticated()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.addFilter(authenticationFilter(userTenantRelationRepository))
.addFilter(new JwtAuthorizationFilter(authenticationManager(), userDetailsService, secret))
.exceptionHandling()
.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
}
谢谢大家的提示。
答案 0 :(得分:1)
如果您的cors请求不是 GET ,则浏览器将发出选项请求(preflight request),并且不会发送身份验证标头或类似的内容。因此,在您的安全配置中,您需要允许对该URL进行匿名选项请求。
答案 1 :(得分:1)
我建议您使用FilterRegistrationBean在后端进行Cors配置。用法如下,
@Bean
public FilterRegistrationBean<CorsFilter> corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("http://localhost:4200");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
source.registerCorsConfiguration("/**", config);
FilterRegistrationBean<CorsFilter> bean = new FilterRegistrationBean<CorsFilter>(
new CorsFilter(source));
bean.setOrder(0);
return bean;
}
使用
导入import org.springframework.boot.web.servlet.FilterRegistrationBean;
在带有@Configuration批注的WebConfig.java文件中执行此操作。