角2與彈簧引導安全休息api

Question

我正在開發一個前端編寫的Angular2（typescript）從斜角cli和Spring Boot 1.5.2版本生成的Web應用程序。由於我想解耦，因此我在Tomcat上部署了REST（本地主機：8084，上下文路徑爲app-api）和角度cli（localhost：4200）上的前端。

當我登錄然後調用其他api時，我的問題，但結果是401.在登錄成功後，JSessionId不保留併發送第二個請求的標頭。

這是我的豆配置：

<?xml version="1.0" encoding="UTF-8"?> 
<beans:beans xmlns="http://www.springframework.org/schema/security" 
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans.xsd 
        http://www.springframework.org/schema/security 
        http://www.springframework.org/schema/security/spring-security.xsd"> 
    <global-method-security /> 

    <beans:bean id="failureHandler" class="my.app.auth.RESTAuthenticationFailureHandler"></beans:bean> 
    <beans:bean id="successHandler" class="my.app.auth.RESTAuthenticationSuccessHandler"></beans:bean> 
    <beans:bean id="loginUrlAuthenticationEntryPoint" class="my.app.auth.RESTAuthenticationEntryPoint"></beans:bean> 

    <beans:bean id="loginPathRequestMatcher" class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"> 
     <beans:constructor-arg type="java.lang.String" value="/login" /> 
    </beans:bean> 

    <beans:bean id="customUsernamePasswordAuthenticationFilter" 
     class="my.app.auth.AuthenticationFilter"> 
     <beans:constructor-arg ref="loginPathRequestMatcher"/> 
     <beans:constructor-arg ref="environment"/> 
     <beans:constructor-arg ref="httpClient"/> 

     <beans:property name="authenticationManager" ref="authenticationManager" /> 
     <beans:property name="sessionAuthenticationStrategy" ref="session-management" /> 
     <beans:property name="authenticationFailureHandler" ref="failureHandler" /> 
     <beans:property name="authenticationSuccessHandler" ref="successHandler" /> 
    </beans:bean> 

    <http auto-config="false" use-expressions="true" 
     disable-url-rewriting="true" entry-point-ref="loginUrlAuthenticationEntryPoint"> 
     <csrf disabled="true" /> 
     <custom-filter position="FORM_LOGIN_FILTER" 
      ref="customUsernamePasswordAuthenticationFilter" /> 
     <custom-filter after="FORM_LOGIN_FILTER" ref="concurrencyFilter" /> 

     <intercept-url pattern="/login" access="permitAll" /> 
     <intercept-url pattern="/" access="permitAll" /> 

     <intercept-url pattern="/api/**" access="hasAnyRole('ROLE_USER')" /> 

     <logout logout-success-url="/login" /> 

     <headers> 
      <frame-options policy="SAMEORIGIN" /> 
      <hsts include-subdomains="true" disabled="false" /> 
      <header name="Access-Control-Allow-Origin" value="*"/> 
      <header name="Access-Control-Allow-Methods" value="POST, GET, OPTIONS, DELETE"/> 
      <header name="Access-Control-Max-Age" value="3600"/> 
      <header name="Access-Control-Allow-Headers" value="x-requested-with, authorization, Content-Type, *"/> 
     </headers> 

     <session-management 
      session-authentication-strategy-ref="session-management" /> 
    </http> 

    <beans:bean id="concurrencyFilter" 
     class="my.app.auth.ConcurrentSessionFilter"> 
     <beans:constructor-arg ref="sessionRegistry" /> 
     <beans:constructor-arg name="expiredUrl" value="/" /> 
    </beans:bean> 

    <beans:bean id="sessionRegistry" class="my.app.auth.SessionRegistry" /> 

    <beans:bean id="session-management" 
     class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy"> 
     <beans:constructor-arg> 
      <beans:list> 
       <beans:bean 
        class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy"> 
        <beans:constructor-arg ref="sessionRegistry" /> 
       </beans:bean> 
       <beans:bean 
        class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy" /> 
       <beans:bean 
        class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy"> 
        <beans:constructor-arg ref="sessionRegistry" /> 
       </beans:bean> 
      </beans:list> 
     </beans:constructor-arg> 
    </beans:bean> 

    <authentication-manager alias="authenticationManager"> 
     <authentication-provider ref="customAuthenticationProvider" /> 
    </authentication-manager> 

    <beans:bean id="customAuthenticationProvider" class="my.app.auth.UserAuthProvider" /> 

    <beans:bean id="authenticationService" class="my.app.auth.AuthenticationService" /> 
</beans:beans> 

我指angular2-spring-boot-security的話題，但我解決不了我的問題也許我還沒有明白這一點的解決方案。

對我的問題有什麼建議嗎？或者與我討論？謝謝。

Answer 1

謝謝大家。我通過聲明Access-Control-Allow-Origin來解決我的問題。而在角2使用的配置春天withCredentials，http：

 <header name="Access-Control-Allow-Origin" value="http://localhost:4200"/> 
     <header name="withCredentials" value="true"/> 
     <header name="Access-Control-Allow-Methods" value="GET, POST, OPTIONS, PUT, PATCH, DELETE"/> 
     <header name="Access-Control-Max-Age" value="3600"/> 
     <header name="Access-Control-Allow-Headers" value="*"/> 
     <header name="Access-Control-Allow-Credentials" value="true"/> 

和組件的構造函數中添加http配置：

constructor(private http: Http) { 
    let _build = (<any>http)._backend._browserXHR.build; 
    (<any>http)._backend._browserXHR.build =() => { 
     let _xhr = _build(); 
     _xhr.withCredentials = true; 
     return _xhr; 
    }; 
    } 

它的做工精細用Get方法請求。但是現在我對Post方法請求有很大的問題。當我將Content-Type添加到頭中時，請求不從cookie中導入JSESSIONID，但是如果我不添加Content-Type，我將得到關於錯誤媒體服務器類型的錯誤代碼415。

我試着用角度2的Http和XMLHttpRequest。這裏有什麼問題？