POST方法缺少set-cookie标头

时间:2019-05-05 14:28:53

标签: java java-ee spring-security http-post csrf

当我使用来自Angular的HTTP POST方法执行请求时,响应没有set-cookie头,相反,当我使用HTTP GET方法执行请求时响应则带有set-cookie头。

我知道,当使用POST方法时,浏览器会自动发出预检OPTIONS请求。我正在寻找建议,在POST方法请求客户端获取set-cookie标头后,该方法已经可以与GET方法一起使用了吗?

我的Angular请求:

this.http.post<UserDto>("//localhost:8080/users", this.user, {withCredentials: true}).subscribe( user => {
  alert("User created successfully.");
});;

这些是我得到的响应头:

Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: content-type
Access-Control-Allow-Methods: POST,PUT,DELETE,GET,OPTIONS
Access-Control-Allow-Origin: http://localhost:4200
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Length: 0
Date: Sun, 05 May 2019 09:22:55 GMT
Expires: 0
Pragma: no-cache
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

我的请求标头:

Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
Access-Control-Request-Headers: content-type
Access-Control-Request-Method: POST
Connection: keep-alive
Host: localhost:8080
Origin: http://localhost:4200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36

我的Spring Security配置:

@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.
        cors().and().
                csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
                .and().addFilterBefore(
                new StatelessCSRFFilter(), CsrfFilter.class);
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(ImmutableList.of("http://localhost:4200"));
        configuration.setAllowedMethods(Arrays.asList("POST","PUT","DELETE","GET","OPTIONS"));
        configuration.setAllowCredentials(true);

        configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
}

我找到了这样的建议:

“通过添加针对没有凭据的飞行前OPTIONS请求的响应过滤器,我可以使其工作。

<security-constraint>
        <display-name>No check for options</display-name>
        <web-resource-collection>
            <web-resource-name>All Access</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>OPTIONS</http-method>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

我不确定春季如何实现该解决方案。

已经成功在SpringFramework后端正确设置了CORS配置,因为方法可以按预期成功,并且Angular确实为GET请求设置了cookie。如果没有HTTP.GET请求,只有POST操作才能成功。

0 个答案:

没有答案