我正面临403错误,经过一些研究后仍然存在问题。
以下是Chrome F12的标题详细信息
-------General
Request URL: http://localhost:4200/api/v1/home
Request Method: POST
Status Code: 403 Forbidden
Remote Address: 127.0.0.1:4200
Referrer Policy: no-referrer-when-downgrade
-------Response Headers
Access-Control-Allow-Origin: *
cache-control: no-cache, no-store, max-age=0, must-revalidate
connection: close
content-type: application/json;charset=UTF-8
date: Mon, 30 Dec 2019 01:49:27 GMT
expires: 0
pragma: no-cache
set-cookie: JSESSIONID=9E0F0A10B29D328C3E8FBC03BAB72CA2; Path=/api; HttpOnly
transfer-encoding: chunked
x-content-type-options: nosniff
x-frame-options: DENY
X-Powered-By: Express
x-xss-protection: 1; mode=block
-------Request Headers
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Authorization: Bearer ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNkltTmxOV05sWkRabE5EQmtZMlF4WldabU5EQTNNRFE0T0RZM1lqRmxaREZsTnpBMk5qZzJZVEFpTENKMGVYQWlPaUpLVjFRaWZRLmV5SnVZVzFsSWpvaVYyOXZJRkIxYmlJc0luQnBZM1IxY21VaU9pSm9kSFJ3Y3pvdkwyeG9OUzVuYjI5bmJHVjFjMlZ5WTI5dWRHVnVkQzVqYjIwdkxVa3hPRGc1UW1oQlVHcE5MMEZCUVVGQlFVRkJRVUZKTDBGQlFVRkJRVUZCUVVGQkwwRkRTR2t6Y21Oek5tWkRWa2RFVVZKeWNWOVBZa1Z0T1VSdlgwMUZiVXBzY2xFdmNHaHZkRzh1YW5Cbklpd2lhWE56SWpvaWFIUjBjSE02THk5elpXTjFjbVYwYjJ0bGJpNW5iMjluYkdVdVkyOXRMM0J2ZDJWeVltRnNiR0Z3Y0MweE5UWTRNRFUzTkRJek1UYzRJaXdpWVhWa0lqb2ljRzkzWlhKaVlXeHNZWEJ3TFRFMU5qZ3dOVGMwTWpNeE56Z2lMQ0poZFhSb1gzUnBiV1VpT2pFMU56UXdNalkzTWpFc0luVnpaWEpmYVdRaU9pSXhUVnB1ZEdkcWJ6TTBabnBHVkhJeVdFRkhjSFJwU0hSTGNUQXpJaXdpYzNWaUlqb2lNVTFhYm5SbmFtOHpOR1o2UmxSeU1saEJSM0IwYVVoMFMzRXdNeUlzSW1saGRDSTZNVFUzTnpZMk56SXlOaXdpWlhod0lqb3hOVGMzTmpjd09ESTJMQ0psYldGcGJDSTZJbmMxT1RVeU9EVTVNREpBWjIxaGFXd3VZMjl0SWl3aVpXMWhhV3hmZG1WeWFXWnBaV1FpT25SeWRXVXNJbVpwY21WaVlYTmxJanA3SW1sa1pXNTBhWFJwWlhNaU9uc2laMjl2WjJ4bExtTnZiU0k2V3lJeE1USXhNemN5TlRRMk16YzRNREkzTURZME5UY2lYU3dpWlcxaGFXd2lPbHNpZHpVNU5USTROVGt3TWtCbmJXRnBiQzVqYjIwaVhYMHNJbk5wWjI1ZmFXNWZjSEp2ZG1sa1pYSWlPaUpuYjI5bmJHVXVZMjl0SW4xOS5tOWloN01EVU54SDlZOUVJZHpBTUQxWDFzamNzYlAzTXpPd05iaXV4U3ZzbzFIR3pMZERBWGNLTm5XN2Y3SE1lSjZnTFFnUmszRExXcWFUTlowM3BhUEJRVHRRS015SzI1S3JiaGVjLW5oNDFYRzhhVmxTZHNmeklXWG5CWmJvVUIxbDk0OFJWWEdBUmFZQnU0S1dhcmdxamV2TXc4QmUyaTBqZjFlTDdIWWtkNWsyZTZUamgzbHg3MzhhV3lrVXRIUlhPYTNJSU9JX3BYRTJCS0VPbm5GSENRMXdVX1JCU2VHamZLcFVDQVFkU1RLZEo0WG8tdWphcloxT0lvdTF6ZFQ5R1NiQjlVdC1xX0twcEFPVkJKelNSQ3pmQ3NSNF9fQzlrNW1PS25NNi1ZaTFBRlZuaEVNdWowRnFESDZVVi15UWR0dzVhSXpobUlmZnFFaFRhN3c=
Connection: keep-alive
Content-Length: 0
Cookie: XSRF-TOKEN=eb87cc03-1be2-426d-b7bb-ef30e7bf3527; JSESSIONID=D4A1F9CF59E3B8A28490C246F9DEA36F; _ga=GA1.1.579132858.1548640045
Host: localhost:4200
Origin: http://localhost:4200
Referer: http://localhost:4200/
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
这是错误响应{"timestamp":"2019-12-30T01:49:27.214+0000","status":403,"error":"Forbidden","message":"Forbidden","path":"/api/v1/home"}
我一直在遵循指南,但仍然无法解决它们。例如:Spring Tutorial和https://chariotsolutions.com/blog/post/angular-2-spring-boot-jwt-cors_part1/
这是我的安全配置:
package com.luckyWoo.powerWoo.auth;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private static final RequestMatcher PROTECTED_URLS = new OrRequestMatcher(new AntPathRequestMatcher("/v1/**"));
AuthenticationProvider provider;
public SecurityConfig(final AuthenticationProvider authenticationProvider) {
super();
this.provider = authenticationProvider;
}
@Override
protected void configure(final AuthenticationManagerBuilder auth) {
auth.authenticationProvider(provider);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.antMatcher("/**").addFilterBefore(authenticationFilter(), BasicAuthenticationFilter.class).httpBasic()
.and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/v1/payment/paypal_webhooks");
}
AuthenticationFilter authenticationFilter() throws Exception {
AuthenticationFilter filter = new AuthenticationFilter(PROTECTED_URLS);
filter.setAuthenticationManager(authenticationManager());
return filter;
}
@Bean
public CorsFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.addAllowedMethod("OPTIONS");
config.addAllowedMethod("GET");
config.addAllowedMethod("POST");
config.addAllowedMethod("PUT");
config.addAllowedMethod("DELETE");
source.registerCorsConfiguration("/**", config);
return new CorsFilter(source);
}
}
,其中包含来自Spring教程指南的.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())。其他指南中也有corsFilter bean。是的,我也尝试在代码中包含其中之一。
所以现在我被困住了,任何建议/帮助都将受到赞赏!