spring security 的跨域问题
spring 的跨域本来通过原生的注解@CrossOrigin就能实现,但是启用security后,原来的跨域设置就失效了
spring security跨域设置
1. 自定义跨域filter
private static Logger log = LoggerFactory.getLogger(SimpleCorsFilter.class);
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain chain) throws ServletException, IOException {
log.debug("filterChain.doFilter begin!");
String path = request.getPathInfo();
String method = request.getMethod();
// 响应头处理
String origin = request.getHeader("origin");
response.setHeader("Access-Control-Allow-Origin", origin);
response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
response.setHeader("Access-Control-Allow-Credentials", "true");
String allowHeaders = "Origin, X-Requested-With, Content-Type, Accept";
response.setHeader("Access-Control-Allow-Headers", allowHeaders);
response.setHeader("Access-Control-Max-Age", "3600");
if (!"OPTIONS".equals(method)) {
chain.doFilter(request, response);
}
log.debug("filterChain.doFilter end!");
}
}
- 在spring-sercurity.xml中设置跨域filter
<sec:http
use-expressions="true"
entry-point-ref="baselineHttpEntryPoint">
<sec:custom-filter ref="requestBodyReaderAuthenticationFilter"
position="FORM_LOGIN_FILTER"/>
<sec:cors ref="simpleCorsFilter"></sec:cors>
<sec:intercept-url pattern="/**" method="OPTIONS" access="permitAll"/>
<sec:intercept-url pattern="/baselines/build/result" method="POST" access="permitAll"/>
<sec:intercept-url pattern="/baselines/**" method="POST" access="hasRole('xxx)"/>
<sec:intercept-url pattern="/baselines/**" method="DELETE" access="hasRole('xxxx')"/>
<sec:intercept-url pattern="/baselines/**" access="hasAnyRole('xxx', 'xxx', 'xxxx')"/>
<sec:access-denied-handler ref="accessDeniedHandler"/>
<sec:csrf disabled="true"/>
<sec:http-basic/>
<sec:logout success-handler-ref="logoutSuccessHandler"/>
</sec:http>
<bean id="simpleCorsFilter" class="com.xxx.xxx.xxx.baseline.core.filter.SimpleCorsFilter"/>
这样跨域设置就完成了,但是奇怪的是从浏览器中看不到服务器设置的任何cookie信息,通过工具看,不管是jmeter还是postman都能看到服务器返回了cookie
网友评论