我目前正在使用 Auth0(和一个 Angular 2 GUI),它将请求中的 "x-xsrf-token"
类型的 header 发送到 Spring Boot API。
我收到错误:
"XMLHttpRequest cannot load http://localhost:3001/ping. Request header field x-xsrf-token is not allowed by Access-Control-Allow-Headers in preflight response."
这是公平的,因为响应 header 中的访问控制响应 header 列表不包含
x-xsrf-token
(在 Chrome 的网络选项卡中调试请求时)。我尝试了许多解决方案,我认为最接近的是覆盖
AppConfig
中的 configure 方法,并添加我自己的 CorsFilter
,如下所示:(Imports removed for brevity)
@Configuration
@EnableWebSecurity(debug = true)
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class AppConfig extends Auth0SecurityConfig {
@Bean
public Auth0Client auth0Client() {
return new Auth0Client(clientId, issuer);
}
@Bean
public Filter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("*");
config.addAllowedHeader("Content-Type");
config.addAllowedHeader("x-xsrf-token");
config.addAllowedHeader("Authorization");
config.addAllowedHeader("Access-Control-Allow-Headers");
config.addAllowedHeader("Origin");
config.addAllowedHeader("Accept");
config.addAllowedHeader("X-Requested-With");
config.addAllowedHeader("Access-Control-Request-Method");
config.addAllowedHeader("Access-Control-Request-Headers");
config.addAllowedMethod("OPTIONS");
config.addAllowedMethod("GET");
config.addAllowedMethod("PUT");
config.addAllowedMethod("POST");
config.addAllowedMethod("DELETE");
source.registerCorsConfiguration("/**", config);
return new CorsFilter(source);
}
@Override
protected void authorizeRequests(final HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/ping").permitAll().antMatchers("/").permitAll().anyRequest()
.authenticated();
}
String getAuthorityStrategy() {
return super.authorityStrategy;
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.csrf().disable();
http.addFilterAfter(auth0AuthenticationFilter(auth0AuthenticationEntryPoint()),
SecurityContextPersistenceFilter.class)
.addFilterBefore(simpleCORSFilter(), Auth0AuthenticationFilter.class);
authorizeRequests(http);http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.cors();
}
}
不幸的是,我没有成功,并且仍然看到我的 get 请求的响应头中缺少
x-xsrf-token
。我的基本项目是这样的:
https://github.com/auth0-samples/auth0-spring-security-api-sample/tree/master/01-Authentication/src/main
欢迎任何想法。
最佳答案
最终我自己解决了这个问题。我在 pom.xml 文件中删除了这个依赖项:
<dependency>
<groupId>com.auth0</groupId>
<artifactId>auth0-spring-security-api</artifactId>
<version>0.3.1</version>
</dependency>
因为是github上的开源项目,这里是 https://github.com/auth0/auth0-spring-security-api 。我将源代码添加到我自己的项目包中,并将其依赖项添加到我的 pom.xml 文件中。然后我更改了 Auth0CORSFilter 中的 doFilter 方法以包含我的 x-xsrf-token:
@Override
public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain chain) throws IOException, ServletException {
final HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "Authorization, x-xsrf-token, Access-Control-Allow-Headers, Origin, Accept, X-Requested-With, " +
"Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers");
chain.doFilter(req, res);
}
不幸的是,如果我需要,我现在将无法轻松切换版本,我的代码库也稍微有些困惑,但是由于我是 Spring 的新手,这比花费数小时尝试覆盖 Auth0CORSFilter Bean 容易得多,如果那是有可能的。
关于java - 如何在 Spring Boot 中更改允许的 header ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/40202908/