Question

我在使用本教程https://spring.io/guides/tutorials/spring-security-and-angular-js/#_sso_with_oauth2_angular_js_and_spring_security_part_v的过程中使用了angular 7和spring boot 2.1.0

前端的我的身份验证功能如下：

  private api = 'http://localhost:8080/v1/api';

  authenticate(credentials): Observable<User> {
    const headers = new HttpHeaders(credentials ? {
      authorization: 'Basic ' + btoa(credentials.username + ':' + credentials.password)
    } : {});

    return this.http.get<User>(`${this.api}/user`, {headers: headers})
      .pipe(
        retry(3),
        map(user => this.currentUser = user),
        catchError(this.errorHandler)
      );
  }

我的安全配置如下：

@Throws(Exception::class)
override fun configure(http: HttpSecurity) {
    http.cors()
            .and().httpBasic()
            .and().authorizeRequests().antMatchers("/index.html", "/", "/home", "/login").permitAll()
            .anyRequest().authenticated()
            .and().csrf().disable()
}

@Bean
fun corsConfigurationSource(): CorsConfigurationSource {
    val configuration = CorsConfiguration()
    configuration.allowedOrigins = Arrays.asList("http://localhost:4200")
    configuration.allowedMethods = Arrays.asList("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS")
    configuration.allowedHeaders = Arrays.asList("authorization", "content-type", "x-auth-token")
    configuration.exposedHeaders = Arrays.asList("x-auth-token")
    val source = UrlBasedCorsConfigurationSource()
    source.registerCorsConfiguration("/**", configuration)
    return source
}

然后我的浏览器发送带有以下标头的OPTIONS：

Accept  text/html,application/xhtml+xm…plication/xml;q=0.9,*/*;q=0.8 
Accept-Encoding gzip, deflate 
Accept-Language de,en-US;q=0.7,en;q=0.3 
Access-Control-Request-Headers  authorization,x-requested-with 
Access-Control-Request-Method   GET 
Cache-Control   no-cache 
Connection  keep-alive 
Host    localhost:8080 
Origin  http://localhost:4200 
Pragma  no-cache 
Referer http://localhost:4200/login 
User-Agent  Mozilla/5.0 (Windows NT 10.0; …) Gecko/20100101 Firefox/64.0

Spring Boot回答200 OK

Access-Control-Allow-Headers    authorization
Access-Control-Allow-Methods    GET,POST,PUT,PATCH,DELETE,OPTIONS
Access-Control-Allow-Origin http://localhost:4200
Access-Control-Expose-Headers   x-auth-token
Cache-Control   no-cache, no-store, max-age=0, must-revalidate
Content-Length  0
Date    Thu, 22 Nov 2018 19:43:53 GMT
Expires 0
Pragma  no-cache
Vary    Origin
Vary    Access-Control-Request-Method
Vary    Access-Control-Request-Headers
X-Content-Type-Options  nosniff
X-Frame-Options DENY
X-XSS-Protection 1; mode=block

据我对cors的了解，浏览器随后应发送带有auth标头的get请求？但是什么也没发生……怎么了？

thx

Answer 1

好吧：

将spring配置更改为

http.cors()
        .and().httpBasic()
        .and().authorizeRequests().antMatchers("/index.html", "/", "/home", "/login").permitAll()
        .anyRequest().authenticated()
        .and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());

并将HttpClientXsrfModule添加到我的角度应用程序。不是很好。

Angular Basic Auth春季启动

1 个答案: