Spring Security和Angular 6 HTTPS请求

时间:2019-03-18 13:05:15

标签: java angular spring-boot cors spring-security-oauth2

我的后端应用程序在春季启动时使用ssl保护。我使用OAuth2 Facebook登录。也是Angular 7中的前端应用程序,并由ssl保护。我的问题是将Angular请求发送到我的Spring Boot App。所有应用程序均为https。

P.S。如果我将URL添加到webSecurity.ignoring(),则一切正常。而不保护我的后端。我认为安全性和HTTPS请求存在一些问题。感谢帮助。

BACKEND

SecurityConfig.java

@RestController
@CrossOrigin(origins = "https://192.168.1.106:4400")
@Configuration
@Order(1000)
@EnableWebSecurity

public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserRepo userRepo;

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .cors().and()
            .csrf().disable()
            .authorizeRequests()
            .antMatchers(HttpMethod.GET, "/unauth/**").permitAll()
            .antMatchers(HttpMethod.POST, "/unauth/upload").permitAll()

            .antMatchers(HttpMethod.POST, "/api/**").authenticated()
            .antMatchers(HttpMethod.PUT, "/api/**").authenticated()
            .antMatchers(HttpMethod.DELETE, "/api/**").authenticated()
            .antMatchers(HttpMethod.GET, "/api/**").authenticated()
            .anyRequest().permitAll()
            .and().logout().logoutSuccessUrl("/").permitAll();

}

@Override
public void configure(WebSecurity webSecurity) {
    webSecurity.ignoring().antMatchers(HttpMethod.GET, "/unauth/**");
    webSecurity.ignoring().antMatchers(HttpMethod.POST, "/unauth/**");
}
  webSecurity.ignoring().antMatchers(HttpMethod.POST, "/unauth/**");
}

SomeRestController.java

 @RestController
 @CrossOrigin(origins = "https://192.168.1.106:4400")
  @RequestMapping ("/api")
 public class ProductService {



@Autowired
private ProductRepo productRepo;

@CrossOrigin(origins = "https://192.168.1.106:4400")
@GetMapping("/products")
public List<Product> getProducts(){
    return productRepo.findAll();

}

SpringBootApplication.java

@SpringBootApplication
@EnableOAuth2Sso
@CrossOrigin(origins = {"https://192.168.1.106:4400"}, allowCredentials = "false")
public class MongoTestApplication {

    public static void main(String[] args) {
        SpringApplication.run(MongoTestApplication.class, args);
    }
}

SomeComponent.html <按钮(click)=“ makeRequest()”>进行请求

SomeComponent.ts

val:any = {};
  makeRequest(){
    this.http.get("https://localhost:8443/api/products").subscribe(value =>  {this.val = value; console.log(this.val.key)});
  }

错误

浏览器错误

Access to XMLHttpRequest at 'https://localhost:8443/api/brands' from origin 'https://192.168.1.106:4400' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
core.js.pre-build-optimizer.js:15714 ERROR n {headers: t, status: 0, statusText: "Unknown Error", url: "https://localhost:8443/api/brands", ok: false, …}

1 个答案:

答案 0 :(得分:0)

如下所示编辑您的主类,并从控制器中删除所有@CrossOrigin。

import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;

@SpringBootApplication
@EnableOAuth2Sso
public class MongoTestApplication {

    public static void main(String[] args) {
        SpringApplication.run(MongoTestApplication.class, args);
    }

 @SuppressWarnings("deprecation")
    @Bean
        public WebMvcConfigurer corsConfigurer()
        {
            return new WebMvcConfigurerAdapter() {
                @Override
                public void addCorsMappings(CorsRegistry registry) {
                    registry.addMapping("/**").allowedMethods("GET", "PUT", "POST", "DELETE", "OPTIONS");
                }    
            };
        }
}