【问题标题】:Spring boot security x-auth-token not found in header在标头中找不到 Spring Boot 安全性 x-auth-token
【发布时间】:2018-01-27 01:34:57
【问题描述】:

我有一个 Spring Boot 应用程序,该应用程序具有受 Spring Security 保护的 REST 服务。 Redis 用于存储会话。我已经在 Glassfish 4.1.2 中部署了该应用程序。尝试使用基本身份验证登录时,x-auth-token 不会在响应标头中返回。可能是什么问题?

以下是我的配置类:

ApplicationSecurityConfig

@Configuration
@EnableWebSecurity
public class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
private CustomAuthenticationProvider customAuthenticationProvider;

@Autowired
private CustomAuthenticationDetailsSource source;

@Autowired
private HttpLogoutSuccessHandler logoutSuccessHandler;

@Autowired
private AuthenticationEntryPoint authenticationEntryPoint;  

@Bean
public HttpSessionStrategy httpSessionStrategy() {
    return new HeaderHttpSessionStrategy();
}

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(customAuthenticationProvider);
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .antMatchers("/crr/**").access("hasRole('CRR')")
            .anyRequest().authenticated()
            .and()
            .requestCache()
            .requestCache(new NullRequestCache())
            .and()
            .logout()
            .logoutUrl("/logout")
            .logoutSuccessHandler(logoutSuccessHandler)
            .and()
            .httpBasic().authenticationDetailsSource(source).authenticationEntryPoint(authenticationEntryPoint);
    http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint);
    http.csrf().disable();
  }   
}

CORSCustomFilter

@Component
@Order(Ordered.HIGHEST_PRECEDENCE) 
public class CORSCustomFilter implements Filter {

public void doFilter(ServletRequest servletRequest,
        ServletResponse servletResponse, FilterChain chain)
        throws IOException, ServletException {

    HttpServletResponse response = (HttpServletResponse) servletResponse;
    response.setHeader("Access-Control-Allow-Origin", "*");
    response.setHeader("Access-Control-Allow-Methods", "POST, GET");
    response.setHeader("Access-Control-Max-Age", "3600");
    response.setHeader("Access-Control-Allow-Headers",
            "X-Requested-With,content-type, Authorization");
    chain.doFilter(servletRequest, servletResponse);
}

public void init(FilterConfig filterConfig) {
}

public void destroy() {
 }
}

注意:当我在Tomcat中部署应用程序时,x-auth-token在响应头中成功生成。

【问题讨论】:

  • 您为什么认为x-auth-token 应该出现在响应中?
  • @dit 我正在使用HeaderHttpSessionStrategy。所以应该有一个x-auth-token在响应头中生成。

标签: spring spring-boot spring-security redis glassfish


【解决方案1】:

要从响应头中检索它,请将 x-auth-token 添加到 Access-Control-Allow-Credentials 和 Access-Control-Expose-Headers

response.setHeader("Access-Control-Expose-Headers", "x-auth-token");
response.setHeader("Access-Control-Allow-Credentials", "x-auth-token");

这对我有用。

【讨论】:

    猜你喜欢
    • 2018-05-08
    • 1970-01-01
    • 2017-08-06
    • 2020-03-26
    • 1970-01-01
    • 1970-01-01
    • 2017-08-31
    • 1970-01-01
    • 2016-02-21
    相关资源
    最近更新 更多