我正在使用 spring boot 3 并构建了一个 oauth2 自定义授权服务器来保证我的应用程序的安全,所有路由都受它的保护。但问题是,当我配置为所有没有 cors 问题的源访问时,我创建的路由工作正常,只有在尝试没有访问令牌的情况下尝试访问时才会抛出未经授权的错误,但是由用于在内部颁发令牌的授权服务器,当我尝试从同一源访问时,这些路由会引发cors问题。谁能帮我解决这个问题吗?
这是我的应用程序的安全配置
@Bean
@Order(2)
public SecurityFilterChain appSecurity(HttpSecurity httpSecurity) throws Exception {
httpSecurity.csrf(csrf -> csrf.disable())
.authorizeHttpRequests(request-> request.anyRequest().authenticated())
.formLogin(Customizer.withDefaults())
.cors(c -> c.configurationSource(corsConfigurationSource()))
.oauth2ResourceServer(oauth2 -> oauth2.jwt(Customizer.withDefaults()));
return httpSecurity.build();
}
@Bean
public org.springframework.web.cors.CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("http://localhost:5173"));
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS"));
configuration.setAllowedHeaders(Arrays.asList("*"));
configuration.setAllowCredentials(true);
configuration.setExposedHeaders(Arrays.asList("Authorization"));
org.springframework.web.cors.UrlBasedCorsConfigurationSource source = new org.springframework.web.cors.UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
source.registerCorsConfiguration("http://localhost:8085/oauth2/**", configuration);
return source;
}
当我尝试访问由 oauth2 管理的 /oauth2/token 或 /oauth2/authorize 等路由时,给我带来了 cors 问题
我怀疑您缺少
authorizationServerSecurityFilterChain我正在使用 Spring 授权服务器文档中的以下内容,并将缺少的
.corsimport org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.http.MediaType;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.util.matcher.MediaTypeRequestMatcher;
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
@Order(1)
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
.oidc(Customizer.withDefaults()); // Enable OpenID Connect 1.0
http
// added
.cors(c -> c.configurationSource(corsConfigurationSource()))
// Redirect to the login page when not authenticated from the
// authorization endpoint
.exceptionHandling((exceptions) -> exceptions
.defaultAuthenticationEntryPointFor(
new LoginUrlAuthenticationEntryPoint("/login"),
new MediaTypeRequestMatcher(MediaType.TEXT_HTML)
)
)
// Accept access tokens for User Info and/or Client Registration
.oauth2ResourceServer((resourceServer) -> resourceServer
.jwt(Customizer.withDefaults()));
return http.build();
}
// remaining code from here