我有2个春季启动项目。一个是spring boot web项目,我用它作为我的前端客户端使用angular 1.另一个spring boot项目是spring boot core项目,我用它作为我的后端服务器。
我正在从我的Web项目生成JWT令牌,如我的Oauth2 API仪表板的测试部分所述。它正在生成JWT,我在Authorization Header下的API调用中传递了它。我正在使用客户端凭证盛大类型。 JS代码:
this.getPackageImages = function getPackageImages()
{
var settings = { "async" : true, "crossDomain" : true, "url" : "https://tenant-onboarding.auth0.com/oauth/token", "method" : "POST", "headers" : { "content-type" : "application/json"},
"data" : "{\"client_id\":\"**********************\",\"client_secret\":\"***********************************************\",\"audience\":\"http://localhost:8085/HOBSCMS/getContent\",\"grant_type\":\"client_credentials\"}" };
$.ajax(settings).done(function(response1)
{
settings = { "async" : true, "crossDomain" : true, "url" : tenantappmodel.cmsURL + "/HOBSCMS/getContent?siteId=1&langId=1&pageId=1", "method" : "GET", "headers" : { "authorization" : response1['token_type'] + " " + response1['access_token'] }};
//
$.ajax(settings).done(function(response2)
{
return response2;
});
});
return;
};
现在我想了解服务器端所需的所有实现。我的服务器端项目包含微服务API,我必须保护它不受浏览器的直接访问。所以我在OAuth2.0下注册了我的项目。 Spring Boot Code:
@Configuration
@ConditionalOnWebApplication
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements Filter
{
@Value("${auth0.audience}")
private String audience;
@Value("${auth0.issuer}")
private String issuer;
@Override
protected void configure(HttpSecurity http) throws Exception
{
http.authorizeRequests().antMatchers(HttpMethod.GET, "/HOBSCMS/getContent").hasAuthority("read:content")
// .antMatchers(HttpMethod.GET, "/HOBSCMS/getContent")
.anyRequest().authenticated().and().anonymous().disable().exceptionHandling().authenticationEntryPoint(new org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint("headerValue"));
JwtWebSecurityConfigurer.forRS256(audience, issuer).configure(http);
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException
{
HttpServletResponse response = (HttpServletResponse) res;
HttpServletRequest request = (HttpServletRequest) req;
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE, PUT");
response.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Requested-With, Origin, Accept, x-auth-token");
// if ("OPTIONS".equalsIgnoreCase(request.getMethod()))
// {
// response.setStatus(HttpServletResponse.SC_OK);
// }
// else
// {
// chain.doFilter(req, res);
// }
}
@Override
public void init(FilterConfig filterConfig) throws ServletException
{
// TODO Auto-generated method stub
}
@Override
public void destroy()
{
// TODO Auto-generated method stub
}
}
从JS调用/ HOBSCMS / getContent时,我在JS Console中收到401错误。错误:
OPTIONS http://01hw731241:8085/HOBSCMS/getContent?siteId=1&langId=1&pageId=1 401()无法加载 http://01hw731241:8085/HOBSCMS/getContent?siteId=1&langId=1&pageId=1: 预检的响应具有无效的HTTP状态代码401。
我也在Controller中实现了CORS过滤器。代码:
@CrossOrigin
@RequestMapping(value = "/getContent", method = RequestMethod.GET, produces = "application/json")
public @ResponseBody Iterable<HOBSCMS> getContent(@RequestParam final String siteId, @RequestParam final String pageId, @RequestParam final String langId)
{
LOGGER.info("Inside getContent -->" + this.getClass().getName());
Iterable<HOBSCMS> hobsCMSItr = null;
try
{
hobsCMSItr = hobsCMSRepository.getContent(Long.valueOf(siteId), Long.valueOf(pageId), Long.valueOf(langId));
LOGGER.info("Outside getContent -->" + this.getClass().getName());
}
catch (Exception e)
{
LOGGER.error("Exception in getOne -->" + this.getClass().getName(), e);
}
LOGGER.info("Outside getContent -->" + this.getClass().getName());
return hobsCMSItr;
}
建议解决此问题的方法。