Spring Security +会话:接收“ Set-Cookie”标头,但未在浏览器中设置

时间:2019-07-01 10:58:45

标签: spring spring-boot spring-mvc spring-security spring-session

我正在尝试使用Angular前端进行Spring Security&Session。 尝试使用该响应标头登录时,我得到200代码:

Set-Cookie: SESSION=NGJlYTkzODQtNTQzMy00NGIxLWEzOWYtYTc2MGNlZWY1OTJm; Path=/; HttpOnly; SameSite=Lax

但是在我对服务器的下一个请求中,请求中没有自动设置cookie。顺便说一句,我在开发人员工具中看不到cookie,所以我认为它没有保存。

我在本地从事前端和后端工作。

以下是有关后端的一些信息:

  • 使用Spring MongoDb会话 @Configuration @EnableMongoHttpSession public class SessionConfig { }

    • 经典Spring安全配置

`     @EnableWebSecurity     公共类SecurityConfig扩展了WebSecurityConfigurerAdapter {     私有的最终CustomAuthenticationProvider authProvider; 

public SecurityConfig(CustomAuthenticationProvider authProvider) {
    this.authProvider = authProvider;
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(authProvider);
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .cors().and()
        .authorizeRequests()
        .anyRequest().authenticated()
        .and()
        .httpBasic(); //todo csrf
}

@Bean
CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Collections.singletonList("http://localhost:4200")); // todo properties by environment
    configuration.setAllowedMethods(Arrays.asList("GET", "POST", "OPTIONS", "DELETE", "PUT", "PATCH"));
    configuration.setAllowedHeaders(Arrays.asList("X-Requested-With", "Origin", "Content-Type", "Accept", "Authorization"));
    configuration.setAllowCredentials(true);
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}

} `

会话已很好地保存在mongodb中,只是ID未保存在浏览器中。 有什么想法吗?

修改

在httpClient参数中设置observer: "response"时,看不到Set-Cookie标头:

"cache-control: no-cache, no-store, max-age=0, must-revalidate,content-type: application/json,expires: 0,pragma: no-cache"

但是在开发人员工具中,我有:

HTTP/1.1 200 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Access-Control-Allow-Origin: http://localhost:4200 Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Set-Cookie: SESSION=YTEwOTNkNjAtZjI4MS00ZmM2LWExYmEtYzA5NzJhMjAyNTJh; Path=/; HttpOnly; SameSite=Lax Content-Type: application/json Transfer-Encoding: chunked Date: Mon, 01 Jul 2019 11:25:08 GMT

2 个答案:

答案 0 :(得分:0)

问题出在倾斜的一面! 我添加了withCredentials参数的拦截器,它可以正常工作。

@Injectable()
export class XhrInterceptor implements HttpInterceptor {

  intercept(req: HttpRequest<any>, next: HttpHandler) {
    const xhr = req.clone({
      withCredentials: true
    });
    return next.handle(xhr);
  }
}

答案 1 :(得分:0)

在后端创建CORS过滤器并添加

response.setHeader("Access-Control-Allow-Headers",
                "Date, Content-Type, Accept, X-Requested-With, Authorization, From, X-Auth-Token, Request-Id");
response.setHeader("Access-Control-Expose-Headers", "Set-Cookie");
response.setHeader("Access-Control-Allow-Credentials", "true");
相关问题
最新问题