预飞行请求未通过访问控制检查tomcat 10

kdfy810k  于 2021-10-10  发布在  Java
关注(0)|答案(1)|浏览(457)

我正在尝试设置一个tomcat服务器来接收来自angular webapp的请求。在我开始尝试使用delete类型的请求之前,一切都正常。通过调试,我意识到问题出现在我的过滤器中,该过滤器检查用户在试图访问某些服务器资源时是否已经有会话,并拒绝这些请求。
代码如下:
后端会话筛选器:

public class SessionFilter extends HttpFilter {

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
        var out = response.getWriter();
        ObjectMapper mapper = new ObjectMapper();

        response.setContentType("application/json");
        if (request.getSession(false) == null && !request.getRequestURI().equals("/login")) {
            response.setStatus(401);
            out.println(mapper.writerFor(ServletResponse.class).writeValueAsString(new ServletResponse("User must be logged in first!")));
            return;
        }

        chain.doFilter(request, response);

    }

    @Override
    public void destroy() {
    }
}

登录servlet(提供会话的servlet)

@WebServlet(urlPatterns = "/login")
public class LoginServlet extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        sess = req.getSession(true);
        sess.setMaxInactiveInterval(3600);
   }
}

执行删除请求的某个servlet

@WebServlet(urlPatterns = "/test")
public class TravelServlet extends HttpServlet {
    @Override
    protected void doDelete(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        PrintWriter out = resp.getWriter();
        out.println(req.getParameter("test"));
    }
}

web.xml文件

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="https://jakarta.ee/xml/ns/jakartaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_5_0.xsd"
         version="5.0">

    <filter>
        <filter-name>SessionFilter</filter-name>
        <filter-class>web.lab9.servlets.filters.SessionFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>SessionFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <filter>
        <filter-name>CorsFilter</filter-name>
        <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
        <init-param>
            <param-name>cors.allowed.origins</param-name>
            <param-value>http://localhost:4200</param-value>
        </init-param>
        <init-param>
            <param-name>cors.allowed.methods</param-name>
            <param-value>GET,POST,DELETE,HEAD,OPTIONS,PUT</param-value>
        </init-param>
        <init-param>
            <param-name>cors.allowed.headers</param-name>
            <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
        </init-param>
        <init-param>
            <param-name>cors.exposed.headers</param-name>
            <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
        </init-param>
        <init-param>
            <param-name>cors.support.credentials</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>CorsFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
</web-app>

现在在前端,使用angular,我这样称呼请求:

this.http.delete<string>(this.url, {
      params: new HttpParams().set('test', 'test'),
      withCredentials: true
    }).subscribe(result => {console.log(result);}, error => {console.log(error);});

每当删除请求到达服务器时,会话都为null,并且我从会话筛选器中抛出一个错误。据我所知,这是因为飞行前的请求以及飞行前没有设置头的事实。我有什么办法可以绕过这件事吗?除了http servlet和过滤器之外,我不允许使用任何东西。
另外,我可以从会话筛选器中执行重定向操作吗?在使用delete请求之前,我能够做到这一点,但自从我开始使用它以来,我只遇到了一些问题,因为处理get/post请求的方法在处理delete/put/时根本不起作用。。。

bkkx9g8r

bkkx9g8r1#

问题在于过滤器的顺序。如果您希望访问以下筛选器中的Cookie,则cors筛选器应始终位于第一位。文档中没有提到任何类似的内容,所以我只是认为这无关紧要,但很明显,它确实如此。

相关问题