即使在Spring Boot中启用了CorsFilter,飞行前请求也会得到验证

时间:2019-10-24 22:32:17

标签: spring spring-boot cors spring-security-oauth2

我正在使用Spring Security进行OAuth身份验证,并且已经配置了Cors。但是,由于预检请求没有令牌(这应该是这样),所以我的所有预检请求都由于身份验证而失败。我有以下配置类;

SecurityConfiguration.java

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(final HttpSecurity security) throws Exception {

        security.cors()
                .and()
                .requestMatchers()
                .antMatchers("/actuator/health")
                .and()
                .authorizeRequests()
                .antMatchers("/actuator/health").permitAll()
                .and()
                .csrf().disable();

        // Custom filter to validate if user is authorized and active to access the system
        security.addFilterAfter(new AuthorizationFilter(), BasicAuthenticationFilter.class);
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration().applyPermitDefaultValues();
        configuration.setAllowedMethods(Arrays.asList("GET","HEAD","POST","PUT"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
}

WebMvcConfiguration .java

@Configuration
public; class WebMvcConfiguration implements WebMvcConfigurer {

    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
                .allowedMethods("GET","HEAD","POST","PUT");
    }
}

问题:

  1. 即使启用了CorsFilter,为什么预检请求也要进行身份验证?
  2. 如何排除飞行前请求以进行身份​​验证?

更新:

我启用了日志,用于使用application.yml文件中的logging.level.org.springframework.security.web.FilterChainProxy: DEBUG调试问题。

我获取了在过滤器链中注册的过滤器列表,列表如下:

class org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter
class org.springframework.security.web.context.SecurityContextPersistenceFilter
class org.springframework.security.web.header.HeaderWriterFilter
class org.springframework.web.filter.CorsFilter
class org.springframework.security.web.authentication.logout.LogoutFilter
class org.springframework.security.web.savedrequest.RequestCacheAwareFilter
class org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter
class org.springframework.security.web.authentication.AnonymousAuthenticationFilter
class org.springframework.security.web.session.SessionManagementFilter
class org.springframework.security.web.access.ExceptionTranslationFilter
class org.springframework.security.web.access.intercept.FilterSecurityInterceptor
class org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter

注意corsFilter已注册。但是,当我收到请求时,仅以下过滤器正在运行,而不是CorsFilter;

'WebAsyncManagerIntegrationFilter'
'SecurityContextPersistenceFilter'
'HeaderWriterFilter'
'LogoutFilter'
'BearerTokenAuthenticationFilter'
'RequestCacheAwareFilter'
'SecurityContextHolderAwareRequestFilter'
'AnonymousAuthenticationFilter'
'SessionManagementFilter'
'ExceptionTranslationFilter'
'FilterSecurityInterceptor'

更新2:

在测试时,我注意到'/ actuator / health'时,正在调用CorsFilter。但是我不确定这是什么意思?

1 个答案:

答案 0 :(得分:0)

在配置security.cors()中添加以下内容应启用CORS过滤器,该过滤器应可在没有授权令牌的情况下使飞行前请求正常工作。但是似乎您配置了错误的请求处理程序,请使用正确的网址映射,以便安全配置将应用于所有端点。

此外,请尝试设置允许的来源,以涵盖所有来源:

@Bean
CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration().applyPermitDefaultValues();
    configuration.setAllowedMethods(Arrays.asList("GET","HEAD","POST","PUT"));
    configuration.setAllowedOrigins(Arrays.asList("*"));
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}

指南:https://www.baeldung.com/spring-security-multiple-entry-points