身份验证过滤器之前的CORS过滤器 - 安全性较低? Spring安全过滤器链序

时间:2016-03-12 02:20:37

标签: angularjs spring security cors

我发现从单页应用程序访问ReST服务时,为了正确地允许访问ReST端点,我必须在我的身份验证过滤器之前注册一个CORS过滤器。这不安全或安全措施不佳吗?

我的安全配置现在看起来像

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Inject
    public void setUserDetailsService(UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }

    private UserDetailsService userDetailsService;

    @Override
    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder.userDetailsService(userDetailsService)
                .passwordEncoder(new BCryptPasswordEncoder());
    }

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
           .authorizeRequests()
                .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                .antMatchers("/health","/metrics", "/v1/users/register", "/swagger-ui/**", "/v2/api-docs").permitAll()
                .antMatchers("/mappings", "/v1/**", "/backend-service/**").authenticated()
                .and()
            .httpBasic()
                .realmName("serviceGateway")
                .and()
            .csrf()
                .disable()
            .headers()
                .frameOptions().disable()
            .and().addFilterBefore(new SimpleCORSFilter(), ChannelProcessingFilter.class);
    }

}

我的SimpleCORSFilter看起来像

public class SimpleCORSFilter implements Filter {

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    /**
     * This method adds specific headers to the HTTP request to enable CORS
     * requests
     * @param request
     * @param response
     * @param chain
     * @throws IOException
     * @throws ServletException
     */
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse res = (HttpServletResponse) response;
        res.setHeader("Access-Control-Allow-Origin", "*");
        res.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE, PUT");
        res.setHeader("Access-Control-Max-Age", "3600");
        res.setHeader("Access-Control-Allow-Headers", "Authorization, Content-Type, Accept, x-requested-with, Cache-Control");
        chain.doFilter(request, res);
    }

    @Override
    public void destroy() {

    }
}

我使用Angular中的简单$ http调用访问代码

$scope.login = function() {
  $http({
    method: 'GET',
    url: 'https://myservice.mydomain.com:8095/v1/users/login',
    headers: {
      'Authorization': 'Basic ' + btoa("username:password")
    }
  })
    .then(successCallback);
};

我认为在安全性之前放置CORS过滤器只意味着CORS标头将被添加到每个请求中,这似乎不是一个安全漏洞,因为我在标头中没有发送敏感数据,但Authorization标头除外

我是在想这里还是有什么我没看到的?

1 个答案:

答案 0 :(得分:0)

我认为这很好。实际上,当您的JavaScript代码发布到另一个来源的资源时,浏览器将发出不带OPTIONS标头的转发前请求(authorization动词)。

如果您的身份验证代码在CORS处理程序之前运行,则必须为此请求设置例外,以避免在飞行前返回401 Unauthorized