问弹簧防盗滤波器

EN

我们将Spring Security添加到现有项目中。

从这一刻起，我们从服务器上得到一个401 No 'Access-Control-Allow-Origin' header is present on the requested resource错误。

这是因为没有将Access-Control-Allow-Origin头附加到响应。为了解决这个问题，我们在注销筛选器之前添加了我们自己的过滤器，它位于Filter链中，但是过滤器不适用于我们的请求。

我们的错误：

XMLHttpRequest无法加载http://localhost:8080/getKunden。请求的资源上没有“访问-控制-允许-原产地”标题。因此，http://localhost:3000源是不允许访问的。响应具有HTTP状态代码401。

我们的安全配置：

@EnableWebSecurity
@Configuration
@ComponentScan("com.company.praktikant")
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

@Autowired
private MyFilter filter;

@Override
public void configure(HttpSecurity http) throws Exception {
    final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    final CorsConfiguration config = new CorsConfiguration();

    config.addAllowedOrigin("*");
    config.addAllowedHeader("*");
    config.addAllowedMethod("GET");
    config.addAllowedMethod("PUT");
    config.addAllowedMethod("POST");
    source.registerCorsConfiguration("/**", config);
    http.addFilterBefore(new MyFilter(), LogoutFilter.class).authorizeRequests()
            .antMatchers(HttpMethod.OPTIONS, "/*").permitAll();
}

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
}
}

我们的过滤器

@Component
public class MyFilter extends OncePerRequestFilter {

@Override
public void destroy() {

}

private String getAllowedDomainsRegex() {
    return "individual / customized Regex";
}

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
        throws ServletException, IOException {

    final String origin = "http://localhost:3000";

    response.addHeader("Access-Control-Allow-Origin", origin);
    response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS");
    response.setHeader("Access-Control-Allow-Credentials", "true");
    response.setHeader("Access-Control-Allow-Headers",
            "content-type, x-gwt-module-base, x-gwt-permutation, clientid, longpush");

    filterChain.doFilter(request, response);

}
}

我们的申请

@SpringBootApplication
public class Application {
public static void main(String[] args) {
    final ApplicationContext ctx = SpringApplication.run(Application.class, args);
    final AnnotationConfigApplicationContext annotationConfigApplicationContext = new AnnotationConfigApplicationContext();
    annotationConfigApplicationContext.register(CORSConfig.class);
    annotationConfigApplicationContext.refresh();
}
}

我们的过滤器是从弹簧启动注册的：

2016-11-04 :19:51.494 INFO 9704

我们生成的过滤链：

2016-11-04 :19:52.729 INFO 9704 -- ost-startStop-1 o.s.s.web.DefaultSecurityFilterChain :创建过滤链:o.s.s.web.DefaultSecurityFilterChain com.company.praktikant.MyFilter@5ba65db2，org.springframework.security.web.authentication.logout.LogoutFilter@2330834f，org.springframework.security.web.savedrequest.RequestCacheAwareFilter@396532d1，org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@4fc0f1a2，org.springframework.security.web.authentication.AnonymousAuthenticationFilter@2357120f，org.springframework.security.web.session.SessionManagementFilter@10867bfb，org.springframework.security.web.access.ExceptionTranslationFilter@4b8bf1fb，org.springframework.security.web.access.intercept.FilterSecurityInterceptor@42063cf1

回应：响应标头

我们也尝试了春天的解决方案，但它没有成功！我们控制器中的注释@十字路口也没有帮助。

编辑1：

尝试了@Piotr所以łtysiak的解决方案。cors过滤器没有在生成的过滤器链中列出，我们仍然得到相同的错误。

2016-11-04 10:22:49.881 INFO 8820 -- ost-startStop-1 o.s.s.web.DefaultSecurityFilterChain :创建过滤链:o.s.s.web.DefaultSecurityFilterChainorg.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@3990c331，org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@1e8d4ac1，org.springframework.security.web.authentication.www.BasicAuthenticationFilter@2d61d2a4，org.springframework.security.web.savedrequest.RequestCacheAwareFilter@380d9a9b，org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@abf2de3，org.springframework.security.web.authentication.AnonymousAuthenticationFilter@2a5c161b，org.springframework.security.web.session.SessionManagementFilter@3c1fd3e5，org.springframework.security.web.access.ExceptionTranslationFilter@3d7055ef，org.springframework.security.web.access.intercept.FilterSecurityInterceptor@5d27725a

顺便说一句，我们使用的是春季安全版本4.1.3。