使用 Spring Security 进行跨域资源共享

2022-01-15 00:00:00 cors java spring-security

我试图让 CORS 与 Spring Security 很好地配合,但它不符合要求.我做了 this文章 并在 applicationContext-security.xml 中更改这一行已经让 POST 和 GET 请求适用于我的应用程序(暂时公开控制器方法,因此我可以测试 CORS):

I'm trying to make CORS play nicely with Spring Security but it's not complying. I made the changes described in this article and changing this line in applicationContext-security.xml has got POST and GET requests working for my app (temporarily exposes controller methods, so I can test CORS):

  • 之前:<intercept-url pattern="/**" access="isAuthenticated()"/>
  • 之后:<intercept-url pattern="/**" access="permitAll"/>

不幸的是,以下允许 Spring Security 通过 AJAX 登录的 URL 没有响应:http://localhost:8080/mutopia-server/resources/j_spring_security_check.我正在从 http://localhost:80http://localhost:8080 发出 AJAX 请求.

Unfortunately the following URL which allows Spring Security logins through AJAX isn't responding: http://localhost:8080/mutopia-server/resources/j_spring_security_check. I am making the AJAX request from http://localhost:80 to http://localhost:8080.

当尝试访问 j_spring_security_check 我在 Chrome 中得到 (pending) 用于 OPTIONS 预检请求和 AJAX 调用返回 HTTP 状态代码 0 和消息错误".

When attempting to access j_spring_security_check I get (pending) in Chrome for the OPTIONS preflight request and AJAX call returns with HTTP status code 0 and message "error".

预检成功,HTTP 状态代码为 302,之后我仍然直接收到 AJAX 请求的错误回调,HTTP 状态为 0,消息错误".

The preflight succeeds with HTTP status code 302 and I still get the error callback for my AJAX request directly afterwards with HTTP status 0 and message "error".

function get(url, json) {
    var args = {
        type: 'GET',
        url: url,
        // async: false,
        // crossDomain: true,
        xhrFields: {
            withCredentials: false
        },
        success: function(response) {
            console.debug(url, response);
        },
        error: function(xhr) {
            console.error(url, xhr.status, xhr.statusText);
        }
    };
    if (json) {
        args.contentType = 'application/json'
    }
    $.ajax(args);
}

function post(url, json, data, dataEncode) {
    var args = {
        type: 'POST',
        url: url,
        // async: false,
        crossDomain: true,
        xhrFields: {
            withCredentials: false
        },
        beforeSend: function(xhr){
            // This is always added by default
            // Ignoring this prevents preflight - but expects browser to follow 302 location change
            xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
            xhr.setRequestHeader("X-Ajax-call", "true");
        },
        success: function(data, textStatus, xhr) {
            // var location = xhr.getResponseHeader('Location');
            console.error('success', url, xhr.getAllResponseHeaders());
        },
        error: function(xhr) {
            console.error(url, xhr.status, xhr.statusText);
            console.error('fail', url, xhr.getAllResponseHeaders());
        }
    }
    if (json) {
        args.contentType = 'application/json'
    }
    if (typeof data != 'undefined') {
        // Send JSON raw in the body
        args.data = dataEncode ? JSON.stringify(data) : data;
    }
    console.debug('args', args);
    $.ajax(args);
}

var loginJSON = {"j_username": "username", "j_password": "password"};

// Fails
post('http://localhost:8080/mutopia-server/resources/j_spring_security_check', false, loginJSON, false);

// Works
post('http://localhost/mutopia-server/resources/j_spring_security_check', false, loginJSON, false);

// Works
get('http://localhost:8080/mutopia-server/landuses?projectId=6', true);

// Works
post('http://localhost:8080/mutopia-server/params', true, {
    "name": "testing",
    "local": false,
    "generated": false,
    "project": 6
}, true);

请注意 - 除了 Spring Security 登录之外,我可以通过 CORS 发布到我的应用程序中的任何其他 URL.我已经阅读了很多文章,因此对于这个奇怪问题的任何见解将不胜感激

Please note - I can POST to any other URL in my app via CORS except the Spring Security login. I've gone through lots of articles, so any insight into this strange issue would be greatly appreciated

推荐答案

我能够通过扩展 UsernamePasswordAuthenticationFilter 来做到这一点...我的代码在 Groovy 中,希望没问题:

I was able to do this by extending UsernamePasswordAuthenticationFilter... my code is in Groovy, hope that's OK:

public class CorsAwareAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
    static final String ORIGIN = 'Origin'

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response){
        if (request.getHeader(ORIGIN)) {
            String origin = request.getHeader(ORIGIN)
            response.addHeader('Access-Control-Allow-Origin', origin)
            response.addHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE')
            response.addHeader('Access-Control-Allow-Credentials', 'true')
            response.addHeader('Access-Control-Allow-Headers',
                    request.getHeader('Access-Control-Request-Headers'))
        }
        if (request.method == 'OPTIONS') {
            response.writer.print('OK')
            response.writer.flush()
            return
        }
        return super.attemptAuthentication(request, response)
    }
}

上面的重要部分:

  • 仅在检测到 CORS 请求时将 CORS 标头添加到响应中
  • 使用简单的非空 200 响应响应飞行前 OPTIONS 请求,该响应还包含 CORS 标头.

你需要在你的 Spring 配置中声明这个 bean.有很多文章展示了如何做到这一点,所以我不会在这里复制.

You need to declare this bean in your Spring configuration. There are many articles showing how to do this so I won't copy that here.

在我自己的实现中,我使用原始域白名单,因为我只允许 CORS 供内部开发人员访问.以上是我正在做的事情的简化版本,可能需要调整,但这应该会给你一个大致的想法.

In my own implementation I use an origin domain whitelist as I am allowing CORS for internal developer access only. The above is a simplified version of what I am doing so may need tweaking but this should give you the general idea.

相关文章