使用AngularJS的Spring Boot和CSRF – Forbitten 403 – >错
在我的
Spring Boot / AngularJS应用程序中,我有以下CSRF配置:
@Override protected void configure(final HttpSecurity http) throws Exception { http.csrf().csrfTokenRepository(csrfTokenRepository()); http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); final String[] restEndpointsToSecure = WebSecurityConfig.restEndpointsToSecure; for (final String endpoint : restEndpointsToSecure) { http.authorizeRequests().antMatchers("/" + endpoint + "/**").hasRole(UserRoleEnum.USER.toString()); } http.addFilterAfter(csrfTokenResponseHeaderBindingFilter(),CsrfFilter.class); xAuthTokenConfigurer.setDetailsService(userDetailsServiceBean()); final SecurityConfigurer<DefaultSecurityFilterChain,HttpSecurity> securityConfigurerAdapter = xAuthTokenConfigurer; http.apply(securityConfigurerAdapter); } CSRF-令牌过滤器如下所示: @Override protected void doFilterInternal(HttpServletRequest request,HttpServletResponse response,javax.servlet.FilterChain filterChain) throws ServletException,IOException { final CsrfToken csrf = (CsrfToken)request.getAttribute(CsrfToken.class.getName()); if (csrf != null) { Cookie cookie = WebUtils.getCookie(request,"XSRF-TOKEN"); final String token = csrf.getToken(); if (cookie == null || token != null && !token.equals(cookie.getValue())) { cookie = new Cookie("XSRF-TOKEN",token); cookie.setPath("/"); response.addCookie(cookie); } } filterChain.doFilter(request,response); } 通常它工作正常,请求头属性X-XSRF-TOKEN与每个请求一起发送.但我有一个奇怪的行为. 在底部的图片中,左边的Request是有效的,右边是failes.唯一不同的是,在右侧,响应头中缺少属性Set-Cookie和X-Application-context.请求标头是相同的. 有谁知道我在这里做错了什么.这对我来说是神秘主义者. 解决方法
好像前端userProfile.controller中可能存在一些功能错误
作为解决方案,您可以更正前端控制器或作为另一种解决方法,您可以将以下内容添加到您的代码中 >仅在检测到CORS时添加CORS标头并传递原始标头,以便允许访问用户内容. static final String ORIGIN = "Origin"; if (request.getHeader(ORIGIN).equals("null")) { String origin = request.getHeader(ORIGIN); response.setHeader("Access-Control-Allow-Origin","*");//* or origin as u prefer response.setHeader("Access-Control-Allow-Credentials","true"); response.setHeader("Access-Control-Allow-Headers",request.getHeader("Access-Control-Request-Headers")); } if (request.getMethod().equals("OPTIONS")) { try { response.getWriter().print("OK"); response.getWriter().flush(); } catch (IOException e) { e.printStackTrace(); } } 然后添加要调用的自定义过滤器 //your other configs < security:custom-filter ref="corsHandler" after="PRE_AUTH_FILTER"/> 完全归属于author的thread答案 (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |