问题:
Spring Boot Security忽略cors配置
刘狐若
我在Spring Boot(1.5.7.release)中添加了带有JWT身份验证的Spring Security性(5.0.0.release),但是CORS似乎不起作用。我添加了这里描述的CORS配置。我还尝试将@CrossOrigin添加到控制器中,但似乎没有改变任何东西。
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class WebSecurity extends WebSecurityConfigurerAdapter {
private UserDetailsService userDetailsService;
private BCryptPasswordEncoder bCryptPasswordEncoder;
public WebSecurity(UserDetailsService userDetailsService, BCryptPasswordEncoder bCryptPasswordEncoder) {
this.userDetailsService = userDetailsService;
this.bCryptPasswordEncoder = bCryptPasswordEncoder;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.csrf()
.disable()
.authorizeRequests()
.antMatchers(HttpMethod.POST, SIGN_UP_URL).permitAll()
.antMatchers(HttpMethod.GET, ACTIVATE_URL).permitAll()
.antMatchers(AUTH_WHITELIST).permitAll()
.anyRequest().authenticated()
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager()))
.addFilter(new JWTAuthorizationFilter(authenticationManager()))
// this disables session creation on Spring Security
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration configuration = new CorsConfiguration().applyPermitDefaultValues();
configuration.setAllowedOrigins(Collections.singletonList("*"));
configuration.addAllowedMethod(HttpMethod.TRACE);
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
Allow →DELETE,GET,HEAD,POST
Cache-Control →no-cache, no-store, max-age=0, must-revalidate
Content-Length →0
Date →Fri, 12 Jan 2018 13:22:08 GMT
Expires →0
Pragma →no-cache
X-Content-Type-Options →nosniff
X-Frame-Options →DENY
X-XSS-Protection →1; mode=block
和Spring Security调试日志:
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@7ce27d90
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 4 of 13 in additional filter chain; firing Filter: 'CorsFilter'
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 5 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /api/stories/7' doesn't match 'GET /logout
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /api/stories/7' doesn't match 'POST /logout
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
2018-01-12 14:22:08.621 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /api/stories/7' doesn't match 'PUT /logout
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /api/stories/7' doesn't match 'DELETE /logout
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 6 of 13 in additional filter chain; firing Filter: 'JWTAuthenticationFilter'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/stories/7'; against '/api/users/login'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 7 of 13 in additional filter chain; firing Filter: 'JWTAuthorizationFilter'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 8 of 13 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 9 of 13 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 11 of 13 in additional filter chain; firing Filter: 'SessionManagementFilter'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 12 of 13 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 at position 13 of 13 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /api/stories/7' doesn't match 'POST /api/users/register
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'OPTIONS /api/stories/7' doesn't match 'GET /api/users/activate/**
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/stories/7'; against '/api/users/login'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/stories/7'; against '/api/users/request-reset-password'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/stories/7'; against '/api/users/reset-password'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/stories/7'; against '/api/stories'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/stories/7'; against '/api/stories/*'
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /api/stories/7; Attributes: [permitAll]
2018-01-12 14:22:08.622 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2018-01-12 14:22:08.623 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@703f0616, returned: 1
2018-01-12 14:22:08.623 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2018-01-12 14:22:08.623 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2018-01-12 14:22:08.623 DEBUG 15619 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/stories/7 reached end of additional filter chain; proceeding with original chain
2018-01-12 14:22:08.630 DEBUG 15619 --- [nio-8080-exec-3] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2018-01-12 14:22:08.630 DEBUG 15619 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
下面是无效CORS请求的日志:
2018-01-12 15:47:09.445 DEBUG 17909 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /api/users/bank-accounts/ at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2018-01-12 15:47:09.445 DEBUG 17909 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /api/users/bank-accounts/ at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2018-01-12 15:47:09.445 DEBUG 17909 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /api/users/bank-accounts/ at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2018-01-12 15:47:09.445 DEBUG 17909 --- [nio-8080-exec-2] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@7d9c9d3c
2018-01-12 15:47:09.446 DEBUG 17909 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy : /api/users/bank-accounts/ at position 4 of 13 in additional filter chain; firing Filter: 'CorsFilter'
2018-01-12 15:47:09.446 DEBUG 17909 --- [nio-8080-exec-2] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
共有1个答案
瞿宏儒
当使用断点作为dur sugested时,AllowMethods总是null
在CorsConfigurationSource中添加以下行修正了它:
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "DELETE", "OPTIONS"));
类似资料:
-
问题内容: 我正在开发一个使用Spring-boot,关系数据库和Elasticsearch的应用程序。 我在代码的2个不同位置使用JSON序列化: 在REST API的响应中。 当代码与Elasticsearch交互时。 我在Elasticsearch中需要一些属性,但我想向应用程序用户隐藏(例如,来自关系数据库的内部ID)。 这是一个实体的例子: 问题 :当对象持久化在Elasticsearc
-
问题内容: 我想用我的主要Java项目及其所有依赖项创建一个jar文件。所以我在pom文件中创建了以下插件定义: 所以我执行,将所有的依赖复制到而不是复制上,效果很好。有任何想法吗? 问题答案: 正常:您配置了名为的特殊执行,但是,直接在命令行上调用目标会创建默认执行,该默认执行与您配置的执行不同。因此,不会考虑您的配置。 在Maven中,可以在2个地方配置插件:用于所有执行(在级别使用)或用于每
-
我定义了“静态”hazelcast配置: 其中“10.0.0.2”是我的localhostip。我只希望将hazelcast的一个实例添加到我的tcpIpConfig成员中。我的朋友坐在同一个网络中,拥有编号为“10.0.0.3”的IP。他懒得从git上共享的属性文件中更改密码和组名,并且正在连接到我的集群。为什么他能够连接到我的集群?我如何防止这种情况?
-
下面是我的pom.xml: 在Entourage-0.0.1-snapshot.jar中,config.properties位于根,其内容与上面相同(即localhost)。 我不是在胡编乱造!
-
问题内容: 我有以下json文件: 但是java模型如下: Jackson解析时会引发异常,因为“ externalId”字段没有getter或setter方法。有没有可以用来忽略json字段的装饰器? 问题答案: 您可以使用注释;如果这只是您要跳过的一个值,则类似于: 或忽略任何无法使用的东西: 还有其他方法可以做到这一点,其余的请查看FasterXML Jackson wiki 。
-
我已经编写了许多通过RESTAPI调用进行通信的服务。这些服务可以配置为使用HTTP或HTTPS。任何给定的客户端都具有定义到服务器的连接的安全配置。“默认”配置属性由应用程序中的值设置。yml在这一点上效果很好。 然而,我逐渐意识到,这在更现实的情况下并不适用。问题是,我试图设置特定的参数,例如启动客户端时的服务器主机/端口,而我设置的值被忽略。 例如: 服务A(客户端)将出于某种目的与服务B(