当我注意到一些看起来很奇怪的东西时,我正致力于在我的 Angular 应用程序中使用 hmac 实现 spring 安全性。
谁能解释一下为什么我不明白 “X-HMAC-CSRF”、“X-Secret”、“WWW-Authenticate”值 在我的 console.log 中?
console.log(JSON.stringify(response.headers()))
{"pragma":"no-cache","content-type":"application/json;charset=UTF-8","cache-
control":"no-cache, no-store, max-age=0, must-revalidate","expires":"0"}
虽然我在网络 (F12) 中正确获取了它们,但无法记录它们 一些代码:
public static final String WWW_AUTHENTICATE = "WWW-Authenticate";
public static final String X_SECRET = "X-Secret";
public static final String CSRF_CLAIM_HEADER = "X-HMAC-CSRF";
response.setHeader(X_SECRET, filteredUrl);
response.setHeader(WWW_AUTHENTICATE,HmacUtils.HMAC_SHA_256);
response.setHeader(CSRF_CLAIM_HEADER, csrfId);
response.addCookie(jwtCookie);
我还添加了一个 cors 过滤器,因为后端和前端不在同一个域中:
@Slf4j
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class CorsFilter implements Filter {
@PostConstruct
public void init() {
log.info("Setup cors filter");
}
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
//TODO ALLOW ALL ORIGIN ???
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "GET,POST,PUT,OPTIONS,DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "Origin, If-Modified-Since, Accept, Authorization, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, X-Handle-Errors-Generically");
chain.doFilter(req, res);
}
最佳答案
您还需要在服务器端设置一个 Access-Control-Expose-Headers
响应 header ,以使您的前端 JavaScript 代码能够访问这些 header —
response.setHeader("Access-Control-Expose-Headers",
"X-HMAC-CSRF, X-Secret, WWW-Authenticate");
参见 https://developer.mozilla.org/docs/Web/HTTP/Headers/Access-Control-Expose-Headers
关于java - CORS 隐藏 header ?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/44640438/