您好我想向我的Spring服务器发出请求。现在我因为CORS选项受限而收到错误。 所以我添加了一个过滤器,因为注释无法工作:
@Component
public class CORSFilter implements Filter {
public CORSFilter() {
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "Content-Type, Accept, X-Requested-With, remember-me");
chain.doFilter(request, response);
}
@Override
public void init(FilterConfig filterConfig) {
}
@Override
public void destroy() {
}}
现在我的问题是,cors过滤器不能用于飞镖请求。 在正常的浏览器请求中,标头已设置但不在dart http请求中。
有没有解决方案可以解决这个问题?
2016年9月23日更新: 这是http://pastebin.com/9KNfx7Jd 问题是过滤器不受此http调用的影响。 只有当我通过浏览器中的URL访问文件时才有效。
这里有ajax:
Remote Address:127.0.0.1:8090
Request URL:http://localhost:8090/time/time/login
Request Method:OPTIONS
Status Code:401 Unauthorized
Response Headers
view source
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Connection:keep-alive
Content-Length:114
Content-Type:text/html;charset=UTF-8
Date:Fri, 23 Sep 2016 12:57:55 GMT
Expires:0
Pragma:no-cache
Server:WildFly/10
Set-Cookie:JSESSIONID=ZIkzLq-iALC6CDx7r6LhPz_8PiD05Q9ufod6GluZ.ccn6dc2; path=/time
WWW-Authenticate:Basic realm="Realm"
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-Powered-By:Undertow/1
X-XSS-Protection:1; mode=block
Request Headers
view source
Accept:*/*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:content-type
Access-Control-Request-Method:GET
Connection:keep-alive
Host:localhost:8090
Origin:http://localhost:8080
Referer:http://localhost:8080/
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.104 (Dart) Safari/537.36
这里没有:
Remote Address:127.0.0.1:8090
Request URL:http://localhost:8090/time/time/login
Request Method:GET
Status Code:200 OK
Response Headers
view source
Access-Control-Allow-Origin:*
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Connection:keep-alive
Content-Length:5
Content-Type:text/html;charset=ISO-8859-1
Date:Fri, 23 Sep 2016 13:10:36 GMT
Expires:0
Pragma:no-cache
Server:WildFly/10
Set-Cookie:JSESSIONID=nQFjGB2m7ovHVT9VUnhtCJSXZvEZV4WWH0YCrgFk.ccn6dc2; path=/time
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-Powered-By:Undertow/1
X-XSS-Protection:1; mode=block
Request Headers
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Authorization:Basic c2tvYmxlcjpTMW1vbjUyNzli
Cache-Control:max-age=0
Connection:keep-alive
Cookie:JSESSIONID=oHJ4GvQ8pFNv8HSujI49NRXQxoVSVMM580sSrvJW.ccn6dc2
Host:localhost:8090
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.104 (Dart) Safari/537.36
编辑26.09.2016:
好的,我现在将SecurityConfig更改为:
@Override
protected void configure(final HttpSecurity http) throws Exception {
super.configure(http);
http.addFilterBefore(new CORSFilter(), ChannelProcessingFilter.class);
http.authorizeRequests().antMatchers(HttpMethod.OPTIONS).permitAll();
http.authorizeRequests().antMatchers("/**").authenticated();
}
现在过滤器正在调用,但我现在收到一个新错误:Response for preflight has invalid HTTP status code 401
接头:
Access-Control-Allow-Origin:*
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Connection:keep-alive
Content-Length:114
Content-Type:text/html;charset=UTF-8
Date:Mon, 26 Sep 2016 12:30:39 GMT
答案 0 :(得分:2)
您的过滤器似乎未应用于OPTIONS个请求
对此博客帖子的评论表明需要明确启用OPTIONS个请求:
https://spring.io/blog/2015/06/08/cors-support-in-spring-framework
一个"陷阱"我在使用带有Spring MVC的CORS时(使用Filter或HandlerInterceptor)时发现,而Spring Security则需要明确允许所有OPTIONS请求正确处理飞行前。 CORS的W3C规范说飞行前请求不应该发送凭据,但是我发现有些浏览器会发送凭据,而其他浏览器不会发送凭据。因此,如果您不允许所有选项,如果浏览器未发送凭据,则会获得403。
使用Spring Security时,飞行前请求是否需要专门配置,或者是否会在过滤链之前处理飞行前的飞行?
另见
答案 1 :(得分:0)
好的,我一直在努力禁用铬的网络安全性。 感谢各位帮助我:)