봄 부팅 및 OAuth2를 CORS

Question

우리는 항상 다음과 같은 오류에 실행 Axios의 클라이언트를 사용하여 노드 서버에서 API에 액세스 할 때 :

XMLHttpRequest cannot load http://localhost:8089/public/api. Redirect from 'http://localhost:8089/public/api/' to 'http://localhost:8089/' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3002' is therefore not allowed access. 

내 구성을 다음과 같이

import java.security.Principal; 
import java.util.ArrayList; 
import java.util.LinkedHashMap; 
import java.util.List; 
import java.util.Map; 

import javax.servlet.Filter; 

import org.apache.catalina.filters.CorsFilter; 
import org.springframework.beans.factory.annotation.Autowired; 
import org.springframework.boot.SpringApplication; 
import org.springframework.boot.autoconfigure.SpringBootApplication; 
import org.springframework.boot.autoconfigure.security.oauth2.resource.ResourceServerProperties; 
import org.springframework.boot.autoconfigure.security.oauth2.resource.UserInfoTokenServices; 
import org.springframework.boot.context.properties.ConfigurationProperties; 
import org.springframework.boot.context.properties.NestedConfigurationProperty; 
import org.springframework.boot.web.servlet.FilterRegistrationBean; 
import org.springframework.context.annotation.Bean; 
import org.springframework.context.annotation.Configuration; 
import org.springframework.core.annotation.Order; 
import org.springframework.security.config.annotation.web.builders.HttpSecurity; 
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; 
import org.springframework.security.oauth2.client.OAuth2ClientContext; 
import org.springframework.security.oauth2.client.OAuth2RestTemplate; 
import org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter; 
import org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter; 
import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails; 
import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails; 
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer; 
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableOAuth2Client; 
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer; 
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter; 
import org.springframework.security.web.access.channel.ChannelProcessingFilter; 
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint; 
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; 
import org.springframework.security.web.csrf.CookieCsrfTokenRepository; 
import org.springframework.web.bind.annotation.RequestMapping; 
import org.springframework.web.bind.annotation.RestController; 
import org.springframework.web.cors.CorsUtils; 
import org.springframework.web.filter.CompositeFilter; 

@SpringBootApplication 
@EnableOAuth2Client 
@EnableAuthorizationServer 
@Order(6) 
public class MonitoringApiApplication extends WebSecurityConfigurerAdapter { 

    @Autowired 
    OAuth2ClientContext oauth2ClientContext; 
    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     // @formatter:off 
     http 
       .antMatcher("/**").authorizeRequests().antMatchers("/","/user**", "/login**", "/webjars/**").permitAll().anyRequest() 

       .authenticated().and().exceptionHandling() 
       .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/")).and().logout() 
       .logoutSuccessUrl("/").permitAll().and().csrf().disable() 
       .addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class); 

     // @formatter:on 
    } 

    @Configuration 
    @EnableResourceServer 
    protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter { 
     @Override 
     public void configure(HttpSecurity http) throws Exception { 
      // @formatter:off 
      http.antMatcher("/me").authorizeRequests().anyRequest().authenticated(); 
      // @formatter:on 
     } 
    } 

    public static void main(String[] args) { 

     SpringApplication.run(MonitoringApiApplication.class, args); 
    } 

    @Bean 
    public FilterRegistrationBean oauth2ClientFilterRegistration(OAuth2ClientContextFilter filter) { 
     FilterRegistrationBean registration = new FilterRegistrationBean(); 
     registration.setFilter(filter); 
     registration.setOrder(-100); 
     return registration; 
    } 

    @Bean 
    @ConfigurationProperties("github") 
    public ClientResources github() { 
     return new ClientResources(); 
    } 

    @Bean 
    @ConfigurationProperties("facebook") 
    public ClientResources facebook() { 
     return new ClientResources(); 
    } 

    private Filter ssoFilter() { 
     CompositeFilter filter = new CompositeFilter(); 
     List<Filter> filters = new ArrayList<>(); 
     filters.add(ssoFilter(facebook(), "/login/facebook")); 
     filters.add(ssoFilter(github(), "/login/github")); 
     filter.setFilters(filters); 
     return filter; 
    } 

    private Filter ssoFilter(ClientResources client, String path) { 
     OAuth2ClientAuthenticationProcessingFilter oAuth2ClientAuthenticationFilter = new OAuth2ClientAuthenticationProcessingFilter(
       path); 
     OAuth2RestTemplate oAuth2RestTemplate = new OAuth2RestTemplate(client.getClient(), oauth2ClientContext); 
     oAuth2ClientAuthenticationFilter.setRestTemplate(oAuth2RestTemplate); 
     UserInfoTokenServices tokenServices = new UserInfoTokenServices(client.getResource().getUserInfoUri(), 
       client.getClient().getClientId()); 
     tokenServices.setRestTemplate(oAuth2RestTemplate); 
     oAuth2ClientAuthenticationFilter.setTokenServices(tokenServices); 
     return oAuth2ClientAuthenticationFilter; 
    } 

} 

class ClientResources { 

    @NestedConfigurationProperty 
    private AuthorizationCodeResourceDetails client = new AuthorizationCodeResourceDetails(); 

    @NestedConfigurationProperty 
    private ResourceServerProperties resource = new ResourceServerProperties(); 

    public AuthorizationCodeResourceDetails getClient() { 
     return client; 
    } 

    public ResourceServerProperties getResource() { 
     return resource; 
    } 
} 

필터 구성을 :

@Bean 
public FilterRegistrationBean corsFilter() { 
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); 
    CorsConfiguration config = new CorsConfiguration(); 
    config.setAllowCredentials(true); 
    config.addAllowedOrigin("http://localhost:3002"); 
    config.addAllowedHeader("*"); 
    config.addAllowedMethod("*"); 
    source.registerCorsConfiguration("/**", config); 
    FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source)); 
    bean.setOrder(0); 
    return bean; 
} 

봄 부트 버전 :

,

<parent> 
    <groupId>org.springframework.boot</groupId> 
    <artifactId>spring-boot-starter-parent</artifactId> 
    <version>1.4.0.RELEASE</version> 
    <relativePath/> <!-- lookup parent from repository --> 
</parent> 

나는 일

Answer 1

당신의 거짓 원점 *하지만 누구에게도 공개// **는 enpoints가 ssoFilter()에 의해 보호되지 않습니다 즉, 작동 antMatchers에, 내가 시도 자격 증명을 추가하는 경우 이 http.cors().(). csrf(). disable();을 추가해야합니다. 또한 SecurityConfig 파일 내부의 필터가 필요합니다.

@Bean 
CorsConfigurationSource corsConfigurationSource() { 
    CorsConfiguration configuration = new CorsConfiguration(); 
    configuration.setAllowedOrigins("*"); 
    configuration.addAllowedHeader("*"); 
    configuration.addAllowedMethod("*"); 
    configuration.setAllowCredentials(true); 
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); 
    source.registerCorsConfiguration("/**", configuration); 
    return source; 
} 

스프링 보안의 최신 버전 중 하나가 필요합니다.