Spring security 4.2.3,OAUTH 2,/oauth/token 端点,CORS 不工作

【问题标题】:Spring security 4.2.3, OAUTH 2, /oauth/token endpoint, CORS not workingSpring security 4.2.3,OAUTH 2,/oauth/token 端点,CORS 不工作
【发布时间】:2018-10-16 19:50:14
【问题描述】:

Angular 5 应用需要登录用户。令牌请求被发送到 /oauth/token。由于 CORS,预检 OPTIONS 请求(由 Chrome 发送)失败。

我尝试按照 Spring Security 4.2 的示例以及 Stackoverflow 上的各种问题和响应进行操作。

这是我的代码:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
        .cors().and()
        .csrf().disable()
            .anonymous().disable()
        .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .authorizeRequests()
        .antMatchers("/signup").permitAll()
        .antMatchers("/oauth/token").permitAll()
        .antMatchers("/fapi/**").authenticated()
        .and()
        .httpBasic()
            .realmName("MY_REALM");
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("http://example.com"));
        configuration.setAllowedMethods(Arrays.asList("HEAD", "GET", "PUT", "POST", "DELETE", "PATCH", "OPTIONS"));
        configuration.addAllowedHeader("*");
        configuration.setAllowCredentials(true);
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
    ............
}

这是来自 Chrome 的请求

General Headers

Request URL: http://api.example.com/oauth/token
Request Method: OPTIONS
Status Code: 401 
Remote Address: 127.65.43.21:80
Referrer Policy: no-referrer-when-downgrade


Request headers

Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Access-Control-Request-Headers: authorization
Access-Control-Request-Method: POST
Cache-Control: no-cache
Connection: keep-alive
Host: api.example.com
Origin: http://example.com
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

回复:

Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Language: en
Content-Length: 1111
Content-Type: text/html;charset=utf-8
Date: Mon, 07 May 2018 03:23:15 GMT
Expires: 0
Pragma: no-cache
WWW-Authenticate: Basic realm="MY_REALM"
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

以及控制台中的错误:

Failed to load http://api.example.com/oauth/token: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://example.com' is therefore not allowed access. The response had HTTP status code 401.

【问题讨论】:

标签: spring spring-security oauth-2.0 spring-security-oauth2 spring-security-rest


【解决方案1】:

我无法使用 Spring 提供的 CorsFilter。

这里的工作有所帮助。

Spring security, cors error when enable Oauth2

最终代码部分

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
@WebFilter("/*")
public class SimpleCORSFilter implements Filter {

    public SimpleCORSFilter() {
    }

    @Override
    public void init(FilterConfig fc) throws ServletException {
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse resp,
                         FilterChain chain) throws IOException, ServletException {

        System.out.println("doFilter");
        HttpServletResponse response = (HttpServletResponse) resp;
        HttpServletRequest request = (HttpServletRequest) req;
        response.setHeader("Access-Control-Allow-Origin", "*");
        response.setHeader("Access-Control-Allow-Credentials", "true");
        response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE, PUT");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "Origin, origin, x-requested-with, authorization, Content-Type, Authorization, credential, X-XSRF-TOKEN");

        if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
            response.setStatus(HttpServletResponse.SC_OK);
        } else {
            chain.doFilter(req, resp);
        }    
    }

    @Override
    public void destroy() {
    }    
}

在安全配置中:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers(HttpMethod.OPTIONS, "/oauth/token");
    }
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
      //.cors().and()
        .csrf().disable()
            .anonymous().disable()
        .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .authorizeRequests()
        .antMatchers("/signup").permitAll()
        .antMatchers("/oauth/token").permitAll()
        .antMatchers("/fapi/**").authenticated()
        .and()
        .httpBasic()
            .realmName("MY_REALM");
    }

    /*
    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("http://example.com"));
        configuration.setAllowedMethods(Arrays.asList("HEAD", "GET", "PUT", "POST", "DELETE", "PATCH", "OPTIONS"));
        configuration.addAllowedHeader("*");
        configuration.setAllowCredentials(true);
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }*/
    ............
}

我仍在等待一个可以与 Spring Security 的 CorsFilter 一起使用的示例。

【讨论】:

  • /oauth/token 使用基本身份验证进行保护。客户端 ID 和机密用于此目的。为什么要删除该身份验证?这破坏了 OAuth2 提供的安全性。
【解决方案2】:

编写一个自定义的 cors 过滤器,而不是您所做的,如下所示

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCorsFilter implements Filter {

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse response = (HttpServletResponse) res;
        HttpServletRequest request = (HttpServletRequest) req;
        response.setHeader("Access-Control-Allow-Origin", "*");
        response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE, PUT");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "Origin, x-requested-with, authorization, Content-Type, Authorization, credential, X-XSRF-TOKEN);

        if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
            response.setStatus(HttpServletResponse.SC_OK);
        } else {
            chain.doFilter(req, res);
        }
        }

        @Override
        public void init(FilterConfig filterConfig) {
        }

        @Override
        public void destroy() {
        }
    }

并将您的 configure(HttpSecurity http) 覆盖修改为

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .and()
        .csrf().disable()
            .anonymous().disable()
        .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .authorizeRequests()
        .antMatchers("/signup").permitAll()
        .antMatchers("/oauth/token").permitAll()
        .antMatchers("/fapi/**").authenticated()
        .and()
        .httpBasic()
            .realmName("MY_REALM");
    }

【讨论】:

猜你喜欢
  • 2017-09-25
  • 2023-03-08
  • 2019-06-04
  • 2018-04-26
  • 2019-02-18
  • 2015-11-10
  • 2014-11-28
  • 2018-02-23
  • 2019-02-11
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode