问题:
Spring Security在回复注册时出现403错误
阴元青
我正在尝试在Spring Boot应用程序中配置Spring Security性。在另一边,Angular正在运行。联系地址时
POST
localhost:15001/auth/api/v1/user/register
I get error 403我重读了一堆类似的问题。答案在任何地方都是一样的。错误通过添加来处理
http.csrf().disable()
csrf在我的配置中被禁用,它写在SecurityConfig类中。
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(
securedEnabled = true,
jsr250Enabled = true,
prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final JwtTokenProvider jwtTokenProvider;
@Autowired
public SecurityConfig(JwtTokenProvider jwtTokenProvider) {
this.jwtTokenProvider = jwtTokenProvider;
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers(
"/authentication/api/v1/**",
"/auth/api/v1/user/register",
"/swagger-ui/**",
"/swagger-ui.html");
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("http://localhost:4200"));
configuration.setAllowCredentials(true);
configuration.setAllowedHeaders(Arrays.asList("Access-Control-Allow-Headers", "Access-Control-Allow-Origin", "Access-Control-Request-Method", "Access-Control-Request-Headers", "Origin", "Cache-Control", "Content-Type", "Authorization"));
configuration.setAllowedMethods(Arrays.asList("DELETE", "GET", "POST", "PATCH", "PUT"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.httpBasic().disable()
.cors().and().csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/auth/api/v1/user/register").permitAll()
.anyRequest().authenticated()
.and()
.apply(new JwtConfigurer(jwtTokenProvider));
}
}
还有什么问题?链接到此处项目的存储库
日志文件非常大,所以我抛出了一个指向日志的链接
log Spring Security
08-03-2022 18:13:00.323 [http-nio-15001-exec-1] DEBUG org.springframework.security.web.FilterChainProxy.doFilterInternal - Securing OPTIONS /api/v1/user/register
08-03-2022 18:13:00.328 [http-nio-15001-exec-1] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter - Set SecurityContextHolder to empty SecurityContext
08-03-2022 18:13:00.373 [http-nio-15001-exec-1] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter - Cleared SecurityContextHolder to complete request
08-03-2022 18:13:00.373 [http-nio-15001-exec-2] DEBUG org.springframework.security.web.FilterChainProxy.doFilterInternal - Securing POST /api/v1/user/register
08-03-2022 18:13:00.373 [http-nio-15001-exec-2] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter - Set SecurityContextHolder to empty SecurityContext
08-03-2022 18:13:00.389 [http-nio-15001-exec-2] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter - Set SecurityContextHolder to anonymous SecurityContext
08-03-2022 18:13:00.389 [http-nio-15001-exec-2] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor.attemptAuthorization - Failed to authorize filter invocation [POST /api/v1/user/register] with attributes [authenticated]
08-03-2022 18:13:00.404 [http-nio-15001-exec-2] DEBUG org.springframework.security.web.authentication.Http403ForbiddenEntryPoint.commence - Pre-authenticated entry point called. Rejecting access
08-03-2022 18:13:00.404 [http-nio-15001-exec-2] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter - Cleared SecurityContextHolder to complete request
08-03-2022 18:13:00.404 [http-nio-15001-exec-2] DEBUG org.springframework.security.web.FilterChainProxy.doFilterInternal - Securing POST /error
08-03-2022 18:13:00.404 [http-nio-15001-exec-2] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter - Set SecurityContextHolder to empty SecurityContext
08-03-2022 18:13:00.404 [http-nio-15001-exec-2] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter - Set SecurityContextHolder to anonymous SecurityContext
08-03-2022 18:13:00.404 [http-nio-15001-exec-2] DEBUG org.springframework.security.web.FilterChainProxy.doFilter - Secured POST /error
08-03-2022 18:13:00.498 [http-nio-15001-exec-2] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter - Cleared SecurityContextHolder to complete request
如果我更改了corsConfigurationSource方法
// configuration.setAllowedOrigins(Arrays.asList("http://localhost:4200"));
configuration.setAllowedOrigins(Arrays.asList("http://localhost:15001"));
然后出现错误:
Access to XMLHttpRequest at 'http://localhost:15001/auth/api/v1/user/register' from origin 'http://localhost:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
这是我在这个问题中处理的错误已被CORS政策阻止
共有3个答案
丌官嘉良
在Controller中没有注释的情况下,您可以使用过滤器并管理那里的请求来解决CORS问题。试试这个:
package br.com.rss.generico.filter;
import java.io.IOException;
import java.util.Arrays;
import javax.annotation.PostConstruct;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.http.HttpHeaders;
import org.springframework.stereotype.Component;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.CorsProcessor;
import org.springframework.web.cors.CorsUtils;
import org.springframework.web.cors.DefaultCorsProcessor;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
/**
*
* @author Thiago Rodrigues
* @since 30 de nov de 2021
*/
@Component
public class CorsFilter extends org.springframework.web.filter.CorsFilter {
private UrlBasedCorsConfigurationSource corsConfigurationSource;
private CorsProcessor processor = new DefaultCorsProcessor();
public CorsFilter(CorsConfigurationSource configSource) {
super(configSource);
}
@PostConstruct
private void configureCorsPolicies() {
CorsConfiguration corsConfig = new CorsConfiguration();
corsConfig.setAllowCredentials(false);
corsConfig.setAllowedOrigins(Arrays.asList("http://localhost:4200"));
corsConfig.setAllowedHeaders(Arrays.asList("Authorization", "Cache-Control", "Content-Type", "app-id", "platform", "sentry-trace"));
corsConfig.setAllowedMethods(Arrays.asList("HEAD", "GET", "PUT", "POST", "DELETE", "PATCH", "OPTION"));
corsConfigurationSource = new UrlBasedCorsConfigurationSource();
corsConfigurationSource.registerCorsConfiguration("/**", corsConfig);
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
CorsConfiguration corsConfiguration = corsConfigurationSource.getCorsConfiguration(request);
Boolean isValid = this.processor.processRequest(corsConfiguration, request, response);
if (!isValid || CorsUtils.isPreFlightRequest(request)) {
if (response.getStatus() == 200) {
response.setHeader(HttpHeaders.ALLOW, "HEAD, GET, PUT, POST, DELETE, PATCH, OPTION");
}
return;
}
filterChain.doFilter(request, response);
}
}
娄飞鸾
关于类似的问题,请参考勾选答案。Spring安全CORS过滤器
我认为您需要将cors配置添加到Spring boot应用程序的main方法中,它应该可以工作。我在我的项目中以类似的方式使用
傅朗
问题不是cors或csrf。它已经被禁用了。这是注册api的antMatchers旁路配置。它应该是/api/v1/user/register,而不是/auth/api/v1/user/register。我们不应该添加servlet。上下文路径,在应用程序中设置为auth。网络安全配置中的yml。更新您的SecurityConfig,如下所示:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.httpBasic().disable()
.cors().and().csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/api/v1/user/register").permitAll() // update this
.anyRequest().authenticated()
.and()
.apply(new JwtConfigurer(jwtTokenProvider));
}
类似资料:
-
我正在我的xamarin.forms项目中使用xam.plugin.pushnotification 我的主要活动 我pcl里的倾听者 } 在app.cs(PCL)中注册(尝试LOL) 我在尝试注册后收到这个错误……(在onerror方法中) Java。IO.IOException:系统中的无效参数。runtime . exception services . exceptiondispatchi
-
这是错误: 照明\数据库\查询异常SQLSTATE[42S22]:找不到列: 1054未知列"在'where子句'(SQL:选择计数(*)作为聚合从在哪里"=user@email.com) 我的Resgister控制器: }我的用户表迁移:
-
问题内容: 我在Bower注册我的bower.json文件时遇到问题。任何帮助将不胜感激。 当我尝试使用Bower注册我的项目时 我收到错误消息: 我的bower.json的内容很简单(为了解决问题,我删除了空格和换行符): (请注意,该文件中没有?) 这是我运行Bower Register时屏幕上显示的详细信息: 问题答案: 您的Bower json文件(在此处可见:https : //raw.
-
我有一个包含各种列的表“用户”。其中一列是用户名。我决定通过迁移删除该列。这样做之后,我试图通过注册表单(创建操作)创建一个新用户,但收到用户名的未定义方法错误,我不确定为什么。@user.save 上引发错误。 下面是相关的代码,首先是用户控制器的动作,然后是实际提交的表单。 有什么想法吗?堆栈跟踪,根据要求:
-
我有一个插件,但我一直有一个问题注册一个命令。该命令与plugin.yml一起在onEnable中设置。有什么可能出错的想法吗? 主类
-
我在Heroku的./bin文件夹中有这个脚本。该脚本调用parse cloud函数。 脚本运行时没有错误 Heroku控制台日志显示如下输出。云函数有一些console.log语句,但是它们的输出也没有出现。 heroku[router]:at=info-method=POST-path=“/parse/functions/resetJob”host=app.herokuapp。com requ