CrossOrigin註釋不適用於彈簧安全性

Question

當我啓用spring-boot-starter-security依賴項時。 CORS支持不起作用。

這是我SecurityConfiguration類：

@Configuration 
public class SecurityConfiguration extends WebSecurityConfigurerAdapter { 

    @Override 
    protected AuthenticationManager authenticationManager() throws Exception { 

     return authentication -> { 

      // ... 
     }; 
    } 

    @Override 
    protected void configure(final HttpSecurity http) throws Exception { 

     http.csrf() 

      // Disabling CSRF 
      .disable() 

      // Disabling Session Management 
      .sessionManagement() 
      .sessionCreationPolicy(SessionCreationPolicy.NEVER) 
      .and() 

      // Adding custom REST Authentication filter 
      .addFilterBefore(new RestAuthenticationFilter(authenticationManager()), LogoutFilter.class) 

      // Authorizing requests 
      .authorizeRequests() 
      .antMatchers("/", "/frontend/login") 
      .permitAll() 
      .antMatchers("/api/**", "/frontend/**") 
      .authenticated() 
      .antMatchers("/**") 
      .permitAll(); 
    } 
} 

我的控制器類有一個CrossOrigin譯註：

@CrossOrigin 
@RequestMapping("/frontend") 
@RestController 
public class FrontEndController extends BaseController { 

我可以處理自定義過濾CORS CORS但我想只使用一個Annoation。

Answer 1

我發現了兩種方法可將CORS支持添加到啓用spring-spring的spring-boot項目中。我們可以將spring-web CorsFilter添加到安全過濾器鏈中。以下示例屬於基於令牌的認證項目。所以我們使用了一個自定義的RestAuthenticationFilter。

@Configuration 
public class SecurityConfiguration extends WebSecurityConfigurerAdapter { 

    @Override 
    protected void configure(final HttpSecurity http) throws Exception { 

     final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); 
     final CorsConfiguration    config = new CorsConfiguration(); 

     config.addAllowedOrigin("*"); 
     config.addAllowedHeader("*"); 
     config.addAllowedMethod("GET"); 
     config.addAllowedMethod("PUT"); 
     config.addAllowedMethod("POST"); 
     source.registerCorsConfiguration("/**", config); 

     http.csrf() 

      // Disabling CSRF 
      .disable() 

      // Disabling Session Management 
      .sessionManagement() 
      .sessionCreationPolicy(SessionCreationPolicy.NEVER) 
      .and() 

      // Adding spring-web CORS filter 
      .addFilterBefore(new CorsFilter(source), LogoutFilter.class) 

      // Adding custom REST Authentication filter 
      .addFilterBefore(new RestAuthenticationFilter(authenticationManager()), LogoutFilter.class) 

      // Authorizing requests 
      .authorizeRequests() 
      .antMatchers("/", "/frontend/login") 
      .permitAll() 
      .antMatchers("/api/**", "/frontend/**") 
      .authenticated() 
      .antMatchers("/**") 
      .permitAll(); 
    } 
} 

但是在上述例子中我們在控制器CrossOrigin註釋是冗餘的。所以我們應該能夠控制CORS對spring-web層的請求。因此，我們可以允許CORS pre-flight（選項HTTP方法）。

@Configuration 
public class SecurityConfiguration extends WebSecurityConfigurerAdapter { 


    @Override 
    protected void configure(final HttpSecurity http) throws Exception { 

     http.csrf() 

      // Disabling CSRF 
      .disable() 

      // Disabling Session Management 
      .sessionManagement() 
      .sessionCreationPolicy(SessionCreationPolicy.NEVER) 
      .and() 

      // Adding custom REST Authentication filter 
      .addFilterBefore(new RestAuthenticationFilter(authenticationManager()), LogoutFilter.class) 

      // Authorizing requests 
      .authorizeRequests() 
      .antMatchers(HttpMethod.OPTIONS, "/**") 
      .permitAll() 
      .antMatchers("/", "/frontend/login") 
      .permitAll() 
      .antMatchers("/api/**", "/frontend/**") 
      .authenticated() 
      .antMatchers("/**") 
      .permitAll(); 
    } 
} 

通過以上配置，我們可以同時使用@CrossOrigin註釋和彈簧安全配置的幫助。