Spring security Access-Control-Allow-Origin:*(CORS)关于无效JWT令牌的问题
我在Spring Boot应用程序中用Spring security配置了JWT安全性。我对…有意见
Access-Control-Allow-Origin: *
头部,也称为CORS。我将应用程序配置为每个服务器响应中都有header,但是一旦JWT令牌无效,服务器响应的403错误代码就没有Access-Control-Allog-Origin:*header。这将导致浏览器向控制台写入错误消息:
未能加载http://...请求的资源上没有“访问-控制-允许-来源”标头。来源“http://...”因此不允许访问。响应的HTTP状态代码为403。
这似乎是错误的,我希望获得Access-Control-Allog-Origin:*头部响应,即使JWT令牌无效,服务器响应有403错误代码。
现在我尝试的和我的代码。
依赖关系:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.5.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
...
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
正如我所理解的,这个问题可能是由过滤器链中的过滤器顺序引起的,我试图将我的JWT JwtAuthenticationFilter放在CorsFilter或CsrfFilter之后,创建CorsConfigurationSource bean。在https://docs.Spring.io/Spring-Security/site/docs/current/reference/html5/#CORS中对此进行了描述,并讨论了如何在Spring Boot+Spring Security应用程序中配置CORS?和https://github.com/spring-projects/spring-boot/issues/5834,但似乎没有任何帮助
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Value("${com.faircloud.common.security.header}")
private String header;
@Value("${com.faircloud.common.security.prefix}")
private String prefix;
@Value("${com.faircloud.common.security.validateLink}")
private String validateLink;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().authorizeRequests()
.antMatchers("/v2/api-docs", "/configuration/ui", "/swagger-resources/**", "/configuration/**",
"/swagger-ui.html", "/webjars/**")
.permitAll()
.and().authorizeRequests().anyRequest().authenticated().and()
.addFilterAfter(new JwtAuthenticationFilter(header, prefix, validateLink),
CsrfFilter.class)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Bean
public CorsConfigurationSource corsConfigurationSource() {
final CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(ImmutableList.of("*"));
configuration.setAllowedMethods(ImmutableList.of("HEAD", "GET", "POST", "PUT", "DELETE", "PATCH"));
// setAllowCredentials(true) is important, otherwise:
// The value of the 'Access-Control-Allow-Origin' header in the response must
// not be the wildcard '*' when the request's credentials mode is 'include'.
configuration.setAllowCredentials(true);
// setAllowedHeaders is important! Without it, OPTIONS preflight request
// will fail with 403 Invalid CORS request
configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
这里是JwtAuthenticationFilter类。请注意,为了验证令牌,它通过HTTP调用其他微服务。另外,我的应用程序没有登录endpoint,因为登录是在其他微服务应用程序上实现的。
public class JwtAuthenticationFilter extends BasicAuthenticationFilter {
private String header;
private String prefix;
private String validateLink;
public JwtAuthenticationFilter(String header, String prefix, String validateLink) {
super(new AuthenticationManager() {
public Authentication authenticate(Authentication authentication) throws AuthenticationException{
return null;
}
});
this.header = header;
this.prefix = prefix;
this.validateLink = validateLink;
}
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain chain)
throws ServletException, IOException {
// 1. get the authentication header. Tokens are supposed to be passed in the
// authentication header
String headerValue = request.getHeader(header);
// 2. validate the header and check the prefix
if (headerValue == null || !headerValue.startsWith(prefix)) {
chain.doFilter(request, response); // If not valid, go to the next filter.
return;
}
// 3. Get the token
String token = headerValue.replace(prefix, "");
try {
GatewayResponse gatewayResponse = validate(token);
String userId = gatewayResponse.getUserId();
/*
Roles could come from gateway or loaded from current
microservice database by user id. They are
hardcoded here to illustrate how to populate
SecurityContextHolder
*/
List<String> authorities = new LinkedList<String>();
authorities.add("USER");
authorities.add("ADMIN");
UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(userId, null,
authorities.stream().map(SimpleGrantedAuthority::new).collect(Collectors.toList()));
SecurityContextHolder.getContext().setAuthentication(auth);
addTokenToResponse(gatewayResponse.getAuthHeader(), response);
} catch (Exception e) {
// In case of failure. Make sure it's clear; so guarantee user won't be
// authenticated
SecurityContextHolder.clearContext();
}
// go to the next filter in the filter chain
chain.doFilter(request, response);
}
private void addTokenToResponse(String authHeaderValue, HttpServletResponse response) {
response.addHeader(header, prefix+authHeaderValue);
}
private GatewayResponse validate(String token) {
/HTTP call here, returns null if invalid token
...
}
}
共有1个答案
有类似的问题,不能使它与CorsConfigurationSource一起工作。只有基于过滤器的CORS支持帮助:
@Bean
public FilterRegistrationBean filterRegistrationBean() {
final CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("http://localhost:4200");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", config);
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
bean.setOrder(Ordered.HIGHEST_PRECEDENCE);
return bean;
}
-
XMLHttpRequest无法加载http://localhost:8080/nobelgrid/api/users/create/。请求的资源上没有“访问-控制-允许-来源”标头。因此,不允许访问源'http://localhost:63342'。响应的HTTP状态代码为500。 谁能帮帮我吗? 更新: 但我还有一个错误。我会做另一个问题,因为我认为这是一个不同的论点。 提前感谢!
-
虽然已经通过API网关设置了CORS,并且设置了头,但在尝试在Chrome内从AJAX调用API时,我仍然收到以下错误: XMLHttpRequest无法加载http://xxxxx.execute-api.us-west-2.amazonaws.com/beta/yyyyy。请求的资源上没有“access-control-allow-origin”标头。因此不允许访问源“null”。响应的HTT
-
Response.AddHeader(“Access-Control-Allow-Origin”,“*”)是如何实现的;行设置多个标题时,包括,但没有当我删除它?
-
我从ASP.NET表单中调用这个函数,在调用Ajax时在firebug控制台中得到以下错误。 跨源请求被阻止:同一源策略不允许读取http://anotherdomain/test.json上的远程资源。(原因:CORS标头“Access-Control-Allow-Origin”丢失)。 我做了其他的方法,但仍然找不到解决办法。 注意:我没有服务器权限进行服务器端(API/URL)更改。
-
Access-Control-Allow-Origin响应 header 指示是否该响应可以与具有给定资源共享原点。 Header type Response header Forbidden header name no 语法 Access-Control-Allow-Origin: *Access-Control-Allow-Origin: <origin> 指令 * 对于没有凭据的请求,服务
-
问题内容: 将web.xml移植到Java配置后出现以下问题 根据一些Spring参考,尝试了以下尝试: 所选择的值来自有效的web.xml过滤器: 有什么想法为什么Spring java config方法不能像web.xml文件那样工作? 问题答案: 将CorsMapping从更改方法。 为整个应用程序启用CORS很简单: 你可以轻松更改任何属性,以及仅将此CORS配置应用于特定的路径模式: 控