Question

我有一个Spring Boot应用程序，它具有使用spring安全性保护的REST服务。 Redis用于存储会话。我在Glassfish 4.1.2中部署了该应用程序。尝试使用基本身份验证登录时，响应标头中不会返回x-auth-token。可能是什么问题？

以下是我的配置类：

ApplicationSecurityConfig

@Configuration
@EnableWebSecurity
public class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
private CustomAuthenticationProvider customAuthenticationProvider;

@Autowired
private CustomAuthenticationDetailsSource source;

@Autowired
private HttpLogoutSuccessHandler logoutSuccessHandler;

@Autowired
private AuthenticationEntryPoint authenticationEntryPoint;  

@Bean
public HttpSessionStrategy httpSessionStrategy() {
    return new HeaderHttpSessionStrategy();
}

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(customAuthenticationProvider);
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .antMatchers("/crr/**").access("hasRole('CRR')")
            .anyRequest().authenticated()
            .and()
            .requestCache()
            .requestCache(new NullRequestCache())
            .and()
            .logout()
            .logoutUrl("/logout")
            .logoutSuccessHandler(logoutSuccessHandler)
            .and()
            .httpBasic().authenticationDetailsSource(source).authenticationEntryPoint(authenticationEntryPoint);
    http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint);
    http.csrf().disable();
  }   
}

CORSCustomFilter

@Component
@Order(Ordered.HIGHEST_PRECEDENCE) 
public class CORSCustomFilter implements Filter {

public void doFilter(ServletRequest servletRequest,
        ServletResponse servletResponse, FilterChain chain)
        throws IOException, ServletException {

    HttpServletResponse response = (HttpServletResponse) servletResponse;
    response.setHeader("Access-Control-Allow-Origin", "*");
    response.setHeader("Access-Control-Allow-Methods", "POST, GET");
    response.setHeader("Access-Control-Max-Age", "3600");
    response.setHeader("Access-Control-Allow-Headers",
            "X-Requested-With,content-type, Authorization");
    chain.doFilter(servletRequest, servletResponse);
}

public void init(FilterConfig filterConfig) {
}

public void destroy() {
 }
}

注意：当我在Tomcat中部署应用程序时，在响应标头中成功生成了x-auth-token。

Answer 1

要从响应标头中检索它，请将x-auth-token添加到Access-Control-Allow-Credentials和Access-Control-Expose-Headers

response.setHeader("Access-Control-Expose-Headers", "x-auth-token");
response.setHeader("Access-Control-Allow-Credentials", "x-auth-token");

这对我有用。

在标头中找不到Spring引导安全性x-auth-token

1 个答案: