AngularJS $Http CORS与Spring Rest&Security中的后端
发布时间:2020-12-17 17:18:58 所属栏目:安全 来源:网络整理
导读:我对AngularJS有疑问.当我从另一个域调用Rest服务时,授权标头不会发送请求,因此 Spring Security无法识别身份验证凭据.附上配置文件. web.xml中 filterfilter-namespringSecurityFilterChain/filter-namefilter-classorg.springframework.web.filter.Delegat
|
我对AngularJS有疑问.当我从另一个域调用Rest服务时,授权标头不会发送请求,因此
Spring Security无法识别身份验证凭据.附上配置文件.
web.xml中 <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> <filter> <filter-name>cors</filter-name> <filter-class>com.axcessfinancial.web.filter.CorsFilter</filter-class> <filter-mapping><filter-name>cors</filter-name><url-pattern>/*</url-pattern></filter-mapping> 上下文的security.xml <http use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()" />
<http-basic/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
CorsFilter protected void doFilterInternal(HttpServletRequest request,HttpServletResponse response,FilterChain filterChain)
throws ServletException,IOException {
response.addHeader("Access-Control-Allow-Origin","*");
if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) {
response.addHeader("Access-Control-Allow-Methods","GET,POST,PUT,DELETE");
response.addHeader("Access-Control-Allow-Headers","Authorization,Accept,Content-Type,X-PINGOTHER");
response.addHeader("Access-Control-Max-Age","1728000");
}
filterChain.doFilter(request,response);
}
app.js var app = angular.module('app',['app.controller','app.services']);
app.config(function($httpProvider) {
$httpProvider.defaults.useXDomain = true;
delete $httpProvider.defaults.headers.common['X-Requested-With'];
/* $httpProvider.defaults.headers.common['Authorization'] = 'Basic YWRtaW46YWRtaW4='; */
});
service.js angular.module('app.services',[]).service('Service',function ($http,$q,UtilHttp) {
$http.defaults.headers.common = {"Access-Control-Request-Headers": "accept,origin,authorization"};
$http.defaults.headers.common['Authorization'] = 'Basic YWRtaW46YWRtaW4=';
return {
listCutomer: function(){
var defer=$q.defer();
$http.post('http://localhost:8088/rest-template/soa/listCustomer',{withCredentials: true})
.success(function(data){
defer.resolve(data);
})
.error(function(data){
defer.reject(data);
});
return defer.promise;
}
};
});
问题: Response Headersview source Content-Length 1134 Content-Type text/html;charset=utf-8 Date Wed,21 May 2014 14:39:44 GMT Server Apache-Coyote/1.1 Set-Cookie JSESSIONID=5CD90453C2CD57CE111F45B0FBCB0301; Path=/rest-template WWW-Authenticate Basic realm="Spring Security Application" Request Headers Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding gzip,deflate Accept-Language en-US,en;q=0.5 Access-Control-Request-He... authorization,content-type Access-Control-Request-Me... POST Cache-Control no-cache Connection keep-alive Host localhost:8088 Origin null Pragma no-cache User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0 解决方法
我认为您的问题如下:
什么时候 >使用除GET或POST之外的HTTP动词 您的浏览器(遵循CORS规范)为请求添加了额外的步骤: 如果服务器响应批准您希望实际请求将启动的实际请求,它首先会向URL发送带有“OPTIONS”方法的特定请求. 不幸的是,在你的场景中,spring返回401(未授权)到OPTIONS请求,因为此请求中不存在auth令牌,因此你的真实请求永远不会启动 解: 你可以把你的cors过滤到web.xml中的spring安全过滤器之前,如果请求方法是OPTIONS,则避免调用链中的下一个过滤器(spring security) 这个exaple过滤器适合我: public class SimpleCORSFilter implements Filter {
public void doFilter(ServletRequest req,ServletResponse res,FilterChain chain) throws IOException,ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Credentials","true");
response.setHeader("Access-Control-Allow-Origin","*");
response.setHeader("Access-Control-Allow-Methods","POST,GET,DELETE,OPTIONS");
response.setHeader("Access-Control-Max-Age","3600");
response.setHeader("Access-Control-Allow-Headers","Origin,X-Requested-With,Authorization");
if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
response.setStatus(HttpServletResponse.SC_OK);
} else {
chain.doFilter(req,res);
}
}
public void init(FilterConfig filterConfig) {
}
public void destroy() {
}
} 记得在web.xml中的spring安全过滤器之前声明你的cors过滤器 (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |