问题描述

我正在使用 Spring Boot 构建 API 服务.它使用基本身份验证进行身份验证.当客户端尝试连接到 API 时，他们将收到 CORS 错误.

I'm building an API Service using Spring Boot. It uses Basic Auth for the authentication. When clients try to connect to the API, they will get CORS error.

在 Spring Boot 上，它抛出错误

On the Spring Boot, it throws error

java.lang.IllegalArgumentException: 当 allowCredentials 为真时，allowedOrigins 不能包含特殊值*"，因为它不能在Access-Control-Allow-Origin"上设置响应头.允许一组来源的凭据，明确列出它们或考虑使用allowedOriginPatterns"相反.

我试图找到 allowedOriginPatterns 用法的示例，但还没有找到.即使对于它的文档 - https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/servlet/config/annotation/CorsRegistration.html#allowedOriginPatterns-java.lang.String...我仍然不知道我必须在 config.allowedOriginPatterns();

I have tried to find the example of allowedOriginPatterns usage but not found yet. Even for its document -https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/servlet/config/annotation/CorsRegistration.html#allowedOriginPatterns-java.lang.String... I still don't know what is the pattern I have to put inside config.allowedOriginPatterns();

下面是我的 CorsFilter 代码，

Below is my CorsFilter code,

@Configuration
public class RequestCorsFilter {

    @Bean
    public CorsFilter corsFilter() {
        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
        config.setAllowedOrigins(Collections.singletonList("*"));
        config.setAllowedHeaders(Arrays.asList("Origin", "Content-Type", "Accept", "responseType", "Authorization"));
        config.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "OPTIONS", "DELETE", "PATCH"));
        source.registerCorsConfiguration("/**", config);
        return new CorsFilter(source);
    }

}

这是我的身份验证代码，

And here is my Authentication code,

@Configuration
@EnableWebSecurity
public class AuthenConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth)
        throws Exception {
    auth
    .inMemoryAuthentication()
    .withUser("thor").password("{noop}P@ssw00rd")
    .authorities("USER");
    }
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        String[] AUTH_WHITELIST = {
            // -- swagger ui
            "/v2/api-docs",
            "/swagger-resources/**",
            "/configuration/ui",
            "/configuration/security",
            "/swagger-ui.html",
            "/webjars/**"
        };

        http
            .csrf().disable()
            .authorizeRequests()
            .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
            .antMatchers(AUTH_WHITELIST).permitAll() // whitelist URL permitted
            .antMatchers("/api").authenticated(); // others need auth
    }

}

推荐答案

使用 config.setAllowedOriginPatterns("*") 而不是 config.setAllowedOrigins(Collections.singletonList(";*"));

这篇关于使用 CorsFilter 和 spring security 时出现 Cors 错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！