为CORS配置Spring

时间:2019-01-18 14:25:33

标签: java spring spring-boot cors

我正在尝试为CORS配置Spring以使用Angular Web UI:

我尝试过:

@Configuration
@ComponentScan("org.datalis.admin.config")
public class AppConfig {

    @Bean
    public static PropertySourcesPlaceholderConfigurer propertyConfigurer() {
        PropertySourcesPlaceholderConfigurer conf = new PropertySourcesPlaceholderConfigurer();
        conf.setLocation(new ClassPathResource("application.properties"));
        return conf;
    }

    @Bean
    public FilterRegistrationBean<CorsFilter> corsFilter() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
        config.addAllowedOrigin("127.0.0.1");
        config.addAllowedHeader("*");
        config.addAllowedMethod("*");
        source.registerCorsConfiguration("/**", config);
        FilterRegistrationBean<CorsFilter> bean = new FilterRegistrationBean<CorsFilter>(new CorsFilter(source));
        bean.setOrder(0);
        return bean;
    }
}

具有Angular FE的Apache服务器与同一服务器上的Wildly服务器一起运行,因此我为源配置了127.0.0.1。

但我仍然得到:

Access to XMLHttpRequest at 'http://123.123.123.123:8080/api/oauth/token' from origin 'http://123.123.123.123' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
auth:1 Failed to load resource: the server responded with a status of 404 (Not Found)

您知道如何解决此问题吗?

我尝试过的第二种方式:

@Configuration
@EnableResourceServer
public class ResourceSecurityConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) {
        resources.resourceId("resource_id").stateless(true);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/users/**").permitAll()
                .anyRequest().authenticated()
                .and()
        .cors().disable()
        .authorizeRequests()
        .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
        .anyRequest()
        .fullyAuthenticated()
        .and()
        .httpBasic()
        .and()
        .csrf().disable();
    }

    @Bean
    public CorsConfigurationSource corsConfigurationSources() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("*"));
        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"));
        configuration.setAllowedHeaders(Arrays.asList("authorization", "content-type", "x-auth-token"));
        configuration.setExposedHeaders(Arrays.asList("x-auth-token"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
}

使用第二种配置,我得到has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status. auth:1 Failed to load resource: the server responded with a status of 404 (Not Found)

达到此结果的最佳方法是什么?

6 个答案:

答案 0 :(得分:6)

您允许的来源是127.0.0.1,但是您的客户端具有ip 123.123.123.123。尝试更改此内容:

config.addAllowedOrigin("127.0.0.1");

对此:

config.addAllowedOrigin("123.123.123.123");

答案 1 :(得分:4)

您需要告诉Spring Security使用您创建的CORS配置。

在我的项目中,我以这种方式配置了Spring Security

@Override
protected void configure(HttpSecurity http) throws Exception
{
    http
        .authorizeRequests()
        .antMatchers("/rest/protected/**")
        .authenticated()
     //Other spring sec configruation and then:
    .and()
        .cors()
        .configurationSource(corsConfigurationSource())

}

corsConfigurationSource()在哪里:

@Bean
    CorsConfigurationSource corsConfigurationSource() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();

        boolean abilitaCors = new Boolean(env.getProperty("templating.oauth.enable.cors"));
        if( abilitaCors )
        {
            if( logger.isWarnEnabled() )
            {
                logger.warn("CORS ABILITATI! Si assume ambiente di sviluppo");
            }
            CorsConfiguration configuration = new CorsConfiguration();
            configuration.setAllowedOrigins(Arrays.asList("http://localhost:4200","http://localhost:8080", "http://localhost:8180"));
            configuration.setAllowedMethods(Arrays.asList(  RequestMethod.GET.name(),
                    RequestMethod.POST.name(), 
                    RequestMethod.OPTIONS.name(), 
                    RequestMethod.DELETE.name(),
                    RequestMethod.PUT.name()));
            configuration.setExposedHeaders(Arrays.asList("x-auth-token", "x-requested-with", "x-xsrf-token"));
            configuration.setAllowedHeaders(Arrays.asList("X-Auth-Token","x-auth-token", "x-requested-with", "x-xsrf-token"));
            source.registerCorsConfiguration("/**", configuration);
        }
        return source;
    }

我希望它有用

天使

答案 2 :(得分:3)

这是我的工作@Configuration类,用于处理仅在开发环境中使用的CORS请求。

@Configuration
//@Profile(PROFILE_DEV)
  public class CorsConfiguration {

  @Bean
  public WebMvcConfigurer corsConfigurer() {
      return new WebMvcConfigurer() {
          @Override
          public void addCorsMappings(CorsRegistry registry) {
              registry.addMapping("/**")
                  .allowedOrigins("*")
                  .allowedHeaders("*")
                  .allowedMethods("*");
          }
      };
  }
}

您还必须将Spring Security配置为忽略预检请求使用的HttpMethod.OPTIONS(作为您提到的例外)

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
  //...
    @Override
    public void configure(WebSecurity web) throws Exception {
      web.ignoring()
            //others if you need
            .antMatchers(HttpMethod.OPTIONS, "/**");

    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .csrf()
            .disable()
            .exceptionHandling()
            .and()
            .headers()
            .frameOptions()
            .disable()
            .and()
            .authorizeRequests()
            .antMatchers("/api/register").permitAll()
            .antMatchers("/api/activate").permitAll()
            .antMatchers("/api/authenticate").permitAll()
            .antMatchers("/api/**").authenticated();
    }

}

因为使用cors时,您有Simple RequestPreflighted Request会触发HttpMethod.OPTIONS

答案 3 :(得分:2)

您需要在控制器类中添加@CrossOrigin类级别,如下所示:

@CrossOrigin
public class SampleController {
    // Your code goes here
}

您的rest控制器类的注释

答案 4 :(得分:2)

我建议您使用WebMvcConfigurer,并在addCorsMappings方法中设置CORS配置。

像这样的东西

@Configuration
public class WebConfig implements WebMvcConfigurer {
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
            .allowedOrigins("http://localhost:9798")
            .allowedMethods("POST", "GET")
            //.allowedHeaders("header1", "header2", "header3")
            //.exposedHeaders("header1", "header2")
            .allowCredentials(true).maxAge(3600);
    }
}

这里有一个带有功能完整的Spring with CORS项目的链接,只需下载并运行它即可。

https://github.com/reos79/spring-cors

它有一个html页面(person.html),该页面除了调用端口(9797)上的服务外,什么也不做。因此,您需要两次加载此项目,一次在9797端口加载服务,另一次在端口(9798)。然后,在浏览器上,您在服务器localhost:9798上调用页面人,它将在文件application.properties中的localhost:9797上调用服务。

答案 5 :(得分:0)

尝试将您的bean名称更改为corsConfigurationSource,删除“ s”

文档https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#cors

  

//默认情况下使用名称为corsConfigurationSource的Bean

相关问题
最新问题