CorsFilter与Stormpath

时间:2016-10-24 22:20:12

标签: spring-mvc spring-security spring-boot cors stormpath

我正在尝试使用Stormpath和Spring Boot构建我的第一个应用程序。我没有找到如何将CORS过滤器添加到Stormpath servlet。因此,我的前端应用程序无法获取身份验证令牌,因为缺少Access-Control-Allow-Origin标头。

使用日志,我确信我的CORS过滤器是在我控制的方法上调用的,而不是在请求/ oauth / token上。

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCorsFilter implements Filter {

    private final Logger log = LoggerFactory.getLogger(SimpleCorsFilter.class);

    public SimpleCorsFilter() {
        log.info("SimpleCORSFilter init");
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {

        log.debug("*********Enter Cors Filter***********");
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;

        response.setHeader("Access-Control-Allow-Origin", request.getHeader("Origin"));
        response.setHeader("Access-Control-Allow-Credentials", "true");
        response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "Content-Type, Accept, X-Requested-With, remember-me");

        chain.doFilter(req, res);
        log.debug("******* Exit Cors Filter ****");
    }

    @Override
    public void init(FilterConfig filterConfig) {
    }

    @Override
    public void destroy() {
    }

}

我也尝试了此博客https://shuaib.me/stormpath-java-backend/中的方法,并在application.properties中添加了以下行。

stormpath.web.accessToken.origin.authorizer.originUris = http://localhost:3002
stormpath.web.filters.cors = something.SimpleCorsFilter
stormpath.web.uris./logout = cors
stormpath.web.uris./register = cors
stormpath.web.uris./oauth/token = cors

我还尝试添加FilterRegistrationBean

@Bean
public FilterRegistrationBean corsFilter() {
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    CorsConfiguration config = new CorsConfiguration();
    config.setAllowCredentials(true);
    config.addAllowedOrigin("http://localhost");
    config.addAllowedHeader("*");
    config.addAllowedMethod("*");
    source.registerCorsConfiguration("/**", config);
    FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
    bean.setOrder(0);
    return bean;
}

所有这些尝试都有相同的结果,它们适用于我的控制器中的方法,但不适用于/ oauth / token请求。

最后,这是我的pom

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>stormpath-basic</groupId>
<artifactId>stormpath-basic</artifactId>
<version>0.0.1-SNAPSHOT</version>
<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>1.4.1.RELEASE</version>
    <relativePath /> 
</parent>

<properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <java.version>1.8</java.version>
    <stormpath.version>1.1.1</stormpath.version>
</properties>

<dependencies>
    <dependency>
        <groupId>com.stormpath.spring</groupId>
        <artifactId>stormpath-default-spring-boot-starter</artifactId>
        <version>${stormpath.version}</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-aop</artifactId>
        <version>1.4.1.RELEASE</version>
    </dependency>


    <dependency>
        <groupId>org.projectlombok</groupId>
        <artifactId>lombok</artifactId>
        <version>1.16.10</version>
    </dependency>

    <dependency>
        <groupId>com.h2database</groupId>
        <artifactId>h2</artifactId>
    </dependency>
    <dependency>
        <groupId>com.jayway.jsonpath</groupId>
        <artifactId>json-path</artifactId>
    </dependency>


    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
    </dependency>

</dependencies>

<build>
    <plugins>
        <plugin>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-maven-plugin</artifactId>
        </plugin>
    </plugins>
</build>

我错过了什么吗?

2 个答案:

答案 0 :(得分:2)

从版本1.2.0开始,Stormpath Java SDK将提供开箱即用的CORS过滤器。默认情况下,它将使用以下选项启用:

stormpath.web.cors.enabled = true
#Comma separated list of allowed origins
stormpath.web.cors.allowed.originUris =
stormpath.web.cors.allowed.headers = Content-Type,Accept,X-Requested-With,remember-me
stormpath.web.cors.allowed.methods = POST,GET,OPTIONS,DELETE

可以通过application.properties文件自定义这些属性。

答案 1 :(得分:1)

Spring Boot支持Cross-Origin Resource Sharing (CORS),但它仅适用于Spring MVC,而不适用于Spring Security。 Spring Framework提供了CorsFilter you can use for filter-based frameworks。看起来您已经使用FilterRegistrationBean执行了此操作。

我在writing a blog post about it上周遇到了同样的问题。调试后,我发现这是因为主StormpathFilter位于CorsFilter之前。

要解决此问题,请将以下内容添加到application.properties

stormpath.web.stormpathFilter.order=1