我正在使用Spring Security进行OAuth身份验证,并且已经配置了Cors。但是,由于预检请求没有令牌(这应该是这样),所以我的所有预检请求都由于身份验证而失败。我有以下配置类;
SecurityConfiguration.java
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(final HttpSecurity security) throws Exception {
security.cors()
.and()
.requestMatchers()
.antMatchers("/actuator/health")
.and()
.authorizeRequests()
.antMatchers("/actuator/health").permitAll()
.and()
.csrf().disable();
// Custom filter to validate if user is authorized and active to access the system
security.addFilterAfter(new AuthorizationFilter(), BasicAuthenticationFilter.class);
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration().applyPermitDefaultValues();
configuration.setAllowedMethods(Arrays.asList("GET","HEAD","POST","PUT"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
WebMvcConfiguration .java
@Configuration
public; class WebMvcConfiguration implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedMethods("GET","HEAD","POST","PUT");
}
}
问题:
UPDATE:
我已启用日志以使用application.yml文件中的logging.level.org.springframework.security.web.FilterChainProxy: DEBUG调试问题。
我获取了在过滤器链中注册的过滤器列表,列表如下:
class org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter
class org.springframework.security.web.context.SecurityContextPersistenceFilter
class org.springframework.security.web.header.HeaderWriterFilter
class org.springframework.web.filter.CorsFilter
class org.springframework.security.web.authentication.logout.LogoutFilter
class org.springframework.security.web.savedrequest.RequestCacheAwareFilter
class org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter
class org.springframework.security.web.authentication.AnonymousAuthenticationFilter
class org.springframework.security.web.session.SessionManagementFilter
class org.springframework.security.web.access.ExceptionTranslationFilter
class org.springframework.security.web.access.intercept.FilterSecurityInterceptor
class org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter
注意corsFilter已注册。但是,当我收到请求时,仅以下过滤器正在运行,而不是CorsFilter;
'WebAsyncManagerIntegrationFilter'
'SecurityContextPersistenceFilter'
'HeaderWriterFilter'
'LogoutFilter'
'BearerTokenAuthenticationFilter'
'RequestCacheAwareFilter'
'SecurityContextHolderAwareRequestFilter'
'AnonymousAuthenticationFilter'
'SessionManagementFilter'
'ExceptionTranslationFilter'
'FilterSecurityInterceptor'
UPDATE 2:
[在测试时,我注意到'/ actuator / health'时,正在调用CorsFilter。但是我不确定这是什么意思?
向配置security.cors()中添加以下内容应已启用CORS过滤器,该过滤器应能够使飞行前请求在没有授权令牌的情况下工作。但是似乎您配置了错误的请求处理程序,请使用正确的url映射,以便安全配置将适用于所有端点。
此外,也请尝试设置允许的来源以涵盖所有来源:
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration().applyPermitDefaultValues();
configuration.setAllowedMethods(Arrays.asList("GET","HEAD","POST","PUT"));
configuration.setAllowedOrigins(Arrays.asList("*"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
指南:https://www.baeldung.com/spring-security-multiple-entry-points