我目前使用的是Auth0(和一个Angular 2 GUI),它在请求中向Spring Boot API发送"x-xsrf-token"
类型的标头。如何在弹簧启动中更改允许的标头
我得到的错误:
"XMLHttpRequest cannot load http://localhost:3001/ping . Request header field x-xsrf-token is not allowed by Access-Control-Allow-Headers in preflight response."
这是很公平的访问控制响应报头的响应头的列表中不包括x-xsrf-token
(调试在Chrome中的网络选项卡中的请求时) 。
我已经尝试了一些解决方案,我想我来最接近的是覆盖在AppConfig
的配置方法,并加入我自己的CorsFilter
,如下图所示:
(Imports removed for brevity)
@Configuration
@EnableWebSecurity(debug = true)
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class AppConfig extends Auth0SecurityConfig {
@Bean
public Auth0Client auth0Client() {
return new Auth0Client(clientId, issuer);
}
@Bean
public Filter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("*");
config.addAllowedHeader("Content-Type");
config.addAllowedHeader("x-xsrf-token");
config.addAllowedHeader("Authorization");
config.addAllowedHeader("Access-Control-Allow-Headers");
config.addAllowedHeader("Origin");
config.addAllowedHeader("Accept");
config.addAllowedHeader("X-Requested-With");
config.addAllowedHeader("Access-Control-Request-Method");
config.addAllowedHeader("Access-Control-Request-Headers");
config.addAllowedMethod("OPTIONS");
config.addAllowedMethod("GET");
config.addAllowedMethod("PUT");
config.addAllowedMethod("POST");
config.addAllowedMethod("DELETE");
source.registerCorsConfiguration("/**", config);
return new CorsFilter(source);
}
@Override
protected void authorizeRequests(final HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/ping").permitAll().antMatchers("/").permitAll().anyRequest()
.authenticated();
}
String getAuthorityStrategy() {
return super.authorityStrategy;
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.csrf().disable();
http.addFilterAfter(auth0AuthenticationFilter(auth0AuthenticationEntryPoint()),
SecurityContextPersistenceFilter.class)
.addFilterBefore(simpleCORSFilter(), Auth0AuthenticationFilter.class);
authorizeRequests(http);http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.cors();
}
}
不幸的是我有没有成功与此,仍然看到x-xsrf-token
我的获取请求的响应标题中丢失。
任何想法将受到欢迎。
恐怕我对此没有任何运气。当我启动服务器时没有错误,但是当我开始运行GET请求时,我一直得到相同的“x-xsrf-token”投诉。无论如何感谢 –
我试过这种配置,就像@JackWooding我发现它没有工作。然后,我试着明确地列出了我在'addAllowedHeader'部分使用的头文件,尽管文档声明“*”被接受为通配符,但它仍然可行。我认为在处理这些标题时存在某种潜在的bug,但我不太确定它在哪里。 – Jules