0

我认为 CORS 过滤器有问题。因为当我通过 Intellij Idea REST Tools 发送带有授权标头的请求时,我的过滤器会捕获一个授权标头。

但是当我尝试从另一台服务器的客户端发送请求时,过滤器看不到我的标头(返回 null)。

我正在使用 spring boot、angularjs、salelizer 和 JWT 构建令牌。

用于在服务器端构建令牌的参数。

    private static final JWSHeader JWT_HEADER = new JWSHeader(JWSAlgorithm.HS256);
    private static final String TOKEN_SECRET = "Bearer";
    public static final String AUTH_HEADER_KEY = "Authorization";

我的身份验证过滤器

public class AuthFilter implements Filter {

    @Override
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {

        HttpServletRequest httpRequest = (HttpServletRequest) request;
        HttpServletResponse httpResponse = (HttpServletResponse) response;
        String authHeader = httpRequest.getHeader(AuthUtils.AUTH_HEADER_KEY);

        if (StringUtils.isBlank(authHeader) || authHeader.split(" ").length != 2) {
            httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, AUTH_ERROR_MSG);
        } else {
            JWTClaimsSet claimSet = null;
            try {
                claimSet = (JWTClaimsSet) AuthUtils.decodeToken(authHeader);
            } catch (ParseException e) {
                httpResponse.sendError(HttpServletResponse.SC_BAD_REQUEST, JWT_ERROR_MSG);
                return;
            } catch (JOSEException e) {
                httpResponse.sendError(HttpServletResponse.SC_BAD_REQUEST, JWT_INVALID_MSG);
                return;
            }


            // ensure that the token is not expired
            if (new DateTime(claimSet.getExpirationTime()).isBefore(DateTime.now())) {
                httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, EXPIRE_ERROR_MSG);
            } else {
                chain.doFilter(request, response);
            }
        }   
    }

    @Override
    public void destroy() { /* unused */ }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException { /* unused */ }

}

Web Mvc 配置文件中的我的 CORS 过滤器

 @Bean
    public CorsFilter corsFilter() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration();
        config.addAllowedOrigin("*");
        config.addAllowedHeader("*");
        config.addAllowedMethod("*");
        config.addExposedHeader("Authorization");
        config.addExposedHeader("Content-Type");
        source.registerCorsConfiguration("/**", config);
        return new CorsFilter(source);
    }

我的安全配置

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .csrf().disable()
            .authorizeRequests()
            .antMatchers(HttpMethod.OPTIONS,"**").permitAll().and().authorizeRequests()
            .antMatchers( "/index","/api/**", "/auth/**", "/js/**", "/css/**", "/html/**")
            .permitAll().anyRequest().authenticated();

我的客户端配置

function configHttp($httpProvider, $authProvider){
        console.log("sdfd");
        $httpProvider.defaults.headers.common["X-Requested-With"] = 'XMLHttpRequest';
        $httpProvider.defaults.headers.common["Accept"] = "application/json";
        $httpProvider.defaults.headers.common["Content-Type"] = "application/json";

        var token = sessionStorage.getItem("satellizer_token");
        if (token && $authProvider.httpInterceptor) {
            token = $authProvider.authHeader === 'Authorization' ? 'Bearer ' + token : token;
            $httpProvider.defaults.headers.common[$authProvider.authHeader] = token;
        }
    }

    function configAuth($authProvider) {
        $authProvider.httpInterceptor = function() { return true; };
        $authProvider.baseUrl = 'http://localhost:8080';
        $authProvider.loginUrl = '/auth/login';
        $authProvider.signupUrl = '/auth/registration';
        $authProvider.tokenName = 'token';
        $authProvider.storageType = 'sessionStorage';
        $authProvider.authToken = 'Bearer';
        $authProvider.authHeader = 'Authorization';
    }
4

1 回答 1

0

这里描述了几个选项。

一种选择是使用@CrossOrigin 注释您的控制器方法或类。

如果你想要全局配置,你可以添加一个新的 bean。我从上面列出的 Spring 文档中获取了这个并对其进行了修改,以便映射为/*. 您可以修改该路径以适合您的应用程序。根据javadoc,默认情况下将允许所有来源。

@Bean
public WebMvcConfigurer corsConfigurer() {
    return new WebMvcConfigurerAdapter() {
        @Override
        public void addCorsMappings(CorsRegistry registry) {
            registry.addMapping("/*");
        }
    };
}
于 2016-02-20T18:56:13.833 回答