spring-security Spring授权服务器0.3.1 CORS问题

6l7fqoea  于 2022-11-11  发布在  Spring
关注(0)|答案(1)|浏览(172)

我使用spring-auth-server 0.3.1创建了一个授权服务器,并实现了授权代码工作流,我的问题是,当我的前端-springdoc-到达最后一步时,我得到了一个401,这是登录到浏览器控制台的内容:

Access to fetch at 'http://authorization-server:8080/oauth2/token' from origin 'http://client:8081' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

我使用的是Sping Boot 2.6.12,下面是我对授权服务器的CORS配置(也可以将其复制粘贴到客户端,以防万一):

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfiguration {
    private final Set<String> allowedOrigins;

    @Autowired
    public WebSecurityConfiguration(
            @Value("${spring.security.cors.allowed-origins:*}") List<String> allowedOrigins) {
        this.allowedOrigins = new LinkedHashSet<>(allowedOrigins);
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .cors().configurationSource(corsConfigurationSource())
                .and()
                .csrf().disable() // without session cookies we do not need this anymore
                .authorizeRequests().anyRequest().permitAll();
        return http.build();
    }

    private CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        boolean useAllowedOriginPatterns = allowedOrigins.isEmpty() || allowedOrigins.contains("*");
        if (useAllowedOriginPatterns) {
            configuration.setAllowedOriginPatterns(Collections.singletonList(CorsConfiguration.ALL));
        } else {
            configuration.setAllowedOrigins(new ArrayList<>(allowedOrigins));
        }
        configuration.setAllowedMethods(Collections.singletonList(CorsConfiguration.ALL));
        configuration.setAllowCredentials(true);
        configuration.setAllowedHeaders(Collections.singletonList(CorsConfiguration.ALL));

        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
}

下面是Auth服务器的安全过滤器链:

@Order(1)
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
        OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
        return http.formLogin(Customizer.withDefaults()).build();
    }

    @Bean
    @Order(2)
    public SecurityFilterChain standardSecurityFilterChain(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests((authorize) -> authorize
                        .anyRequest().authenticated()
                )
                        .formLogin(Customizer.withDefaults());

        return http.build();
    }

你知道我错过了什么吗?

pgky5nke

pgky5nke1#

如果您的后端和应用程序不在同一个地址上运行,您的浏览器通常不允许您调用后端。这是一个安全功能。
要允许浏览器调用您的API,请将Access-Control-****头添加到后端响应中(从Spring应答时)。
请在标题中添加以下行

Access-Control-Allow-Origin: *

这里也有一个教程,请访问here on spring.io

相关问题