java - CORS Spring Security Oauth2

Question

我对 CORS Spring Security Oauth2 有疑问。

这是我的类 CustomAuthenProvider.java

@Component
public class CustomAuthenProvider implements AuthenticationProvider {

  private static final Logger logger = LogManager.getLogger(CustomAuthenProvider.class);

  @Autowired(required = false)
  private HttpServletRequest request;

  @Autowired
  private LdapService ldapService;

  @Value("${key.twofactor}")
  private String key;

  @Override
  public Authentication authenticate(Authentication authentication) {

    boolean authorizeLdap = ldapService.authorizeLDAP(authentication.getName(),
        authentication.getCredentials().toString());
    Totp totp = new Totp(key);

    if (!authorizeLdap || !totp.verify(request.getParameter(Constant.OTP))) {
      logger.info("Login Fail");
      return null;
    }
    Authentication auth = new UsernamePasswordAuthenticationToken(authentication.getName(),
        authentication.getCredentials().toString(), getAuthorityAdmin());
    return auth;

  }

  private List<SimpleGrantedAuthority> getAuthorityAdmin() {
    return Arrays.asList(new SimpleGrantedAuthority("ROLE_ADMIN"));
  }

  @Override
  public boolean supports(Class<?> authentication) {
    return authentication.equals(UsernamePasswordAuthenticationToken.class);
  }
}

这是我的 SecurityConfig.java 类

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

  @Autowired
  private CustomAuthenProvider customAuthenProvider;

  @Override
  @Bean
  public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
  }

  @Override
  protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(customAuthenProvider);
  }

  @SuppressWarnings("deprecation") // For NoOpPasswordEncoder
  // Using NoOpPasswordEncoder for simplicity's sake
  @Bean
  public PasswordEncoder passwordEncoder() {
    return NoOpPasswordEncoder.getInstance();
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.cors().and().csrf().disable().anonymous().disable().authorizeRequests()
        .antMatchers("/api-docs/**").permitAll();
  }

  @Bean
  public CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Arrays.asList("*"));
    configuration
        .setAllowedMethods(Arrays.asList("GET", "POST", "PATCH", "DELETE", "OPTIONS"));
    configuration.setAllowedHeaders(Arrays.asList("authorization", "content-type", "x-auth-token"));
    configuration.setExposedHeaders(Arrays.asList("x-auth-token"));
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
  }

}

我使用 Angular 7 作为前端。

调用 API 192.168.0.109:8182/oauth/token 时显示错误:

2zone-evergreen.js:2952 OPTIONS http://192.168.0.109:8182/oauth/token 401
 Access to XMLHttpRequest at 'http://192.168.0.109:8182/oauth/token' from origin 'http://192.168.0.113:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

我不知道为什么会出现消息“未经授权”。

有人可以帮我吗？

提前致谢。 :)

Answer 1

modify as below and try 

    @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.cors().and().csrf().disable().anonymous().disable().authorizeRequests()
                     .antMatchers("/api/auth/**")
                        .permitAll()
                    .antMatchers(HttpMethod.GET, "/api/**", "/api/**")
                        .permitAll();

}