Spring Security oauth2 cors过滤器无法正常工作

Question

我的Spring配置部署在Tomcat服务器上。

@Configuration
@EnableWebMvc
public class WebConfig extends WebMvcConfigurerAdapter {

    @Override
    public void addCorsMappings(CorsRegistry registry) {
            registry.addMapping("/**")
                .allowedOrigins("*")
                .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
                .allowedHeaders("Json-View","X-PINGOTHER","Content-Type","X-Requested-With","Accept","Origin",
                "Access-Control-Request-Method","Access-Control-Request-Headers","Authorization")
                .allowCredentials(false) //or true
                .maxAge(3600);
    }
}

对于我的api的所有请求，服务器返回＆＃39; Access-Control-Allow-Origin＆＃39;标题，一切正常。但是对地址＆＃39; / oauth / token＆＃39;的授权请求存在问题，授权被触发，但是客户端因为某种原因无法阅读答案＆＃34; No＆＃39; Access-Control -ALLOW-来源＆＃39;标头出现在请求的资源上......＆＃34;。这可能是Spring Framework的配置问题。

GENERAL

Request URL: http://localhost:8080/oauth/token
Request Method: POST
Status Code: 200 
Remote Address: [::1]:8080
Referrer Policy: no-referrer-when-downgrade

RESPONSE HEADERS

Cache-Control: no-store
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: application/json;charset=UTF-8
Date: Tue, 10 Apr 2018 17:20:34 GMT
Expires: 0
Pragma: no-cache
Pragma: no-cache
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

REQUEST HEADERS

Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: ru,en-US;q=0.9,en;q=0.8
Connection: keep-alive
Content-Length: 85
Content-Type: application/x-www-form-urlencoded
Host: localhost:8080
Origin: http://localhost:8081
Referer: http://localhost:8081/
Save-Data: on
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

FORM DATA

username: user
password: qwe
grant_type: password
client_id: web
client_secret: web

Chrome控制台错误：

Failed to load http://localhost:8080/oauth/token: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8081' is therefore not allowed access.

这里有什么问题？为什么Spring Security不会返回＆＃39; Access-Control-Allow-Origin＆＃39; for＆＃39; / oauth / token＆＃39;请求？ Spring版本5.0.4，目前是最新版本。

Answer 1

我在url-address /oauth/token找到的唯一解决方案是在方法onStartup中注册自定义过滤器覆盖AbstractAnnotationConfigDispatcherServletInitializer因此，可以在安全性之前注册过滤器过滤

override fun onStartup(servletContext: ServletContext) {
    super.onStartup(servletContext)
    val corsFilterReg = servletContext.addFilter("CORSFilter", CORSFilter.class)
    corsFilterReg.addMappingForUrlPatterns(null, false, "/*")
}

和CORSFilter

public class CORSFilter extends OncePerRequestFilter {

   protected void doFilterInternal(HttpServletRequest req, HttpServletResponse res, FilterChain chain) {
      if (path == "/oauth/token") {
        res.addHeader("Access-Control-Allow-Origin", "*");
        res.addHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
        res.addHeader("Access-Control-Max-Age", "3600");
        res.addHeader("Access-Control-Allow-Headers", "X-PINGOTHER,Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization");
        if (req.getMethod().equal(HttpMethod.OPTIONS.name())) {
           res.setStatus(HttpServletResponse.SC_OK);
        } else {
           chain.doFilter((ServletRequest)req, (ServletResponse)res);
        }
     } else {
        chain.doFilter((ServletRequest)req, (ServletResponse)res);
     }
   }
}

此示例用作addCorsMappings的补充，或类似的标准方式，在您的Spring Framework http.cors()等应用程序中包含CORS。