本文介绍了如何在 Spring 5.3 及更高版本中使用 Stomp 和 SockJS 处理 CORS 起源?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在开发一个同时使用 REST 端点和 SockJS websocket 的服务器应用程序.这曾经在 Spring 5.2 及更低版本下运行良好.

I'm working on a server application which uses both REST endpoints and a SockJS websocket. This used to work fine under Spring 5.2 and below.

但是,自 5.3 发布以来,org.springframework.web.cors.CorsConfiguration 中存在以下方法:

However, since the 5.3 release, the following method exists within org.springframework.web.cors.CorsConfiguration:

    public void validateAllowCredentials() {
        if (this.allowCredentials == Boolean.TRUE &&
                this.allowedOrigins != null && this.allowedOrigins.contains(ALL)) {

            throw new IllegalArgumentException(
                    "When allowCredentials is true, allowedOrigins cannot contain the special value \"*\"" +
                            "since that cannot be set on the \"Access-Control-Allow-Origin\" response header. " +
                            "To allow credentials to a set of origins, list them explicitly " +
                            "or consider using \"allowedOriginPatterns\" instead.");
        }
    }

到目前为止,我的套接字配置如下:

So far, my socket was configured like this:

@Configuration
@EnableWebSocketMessageBroker
public class WebSocketConfiguration implements WebSocketMessageBrokerConfigurer {

    @Override
    public void configureMessageBroker(MessageBrokerRegistry config) {
        // prefix for the client to send messages to the server
        config.setApplicationDestinationPrefixes("/app");
        // prefix for the client to receive broadcasted messages from the server
        config.enableSimpleBroker("/topic");
    }

    @Override
    public void registerStompEndpoints(StompEndpointRegistry registry) {
        // defines the url of the socket so the client can connect to it
        registry.addEndpoint("/socketendpoint").setAllowedOrigins("*").withSockJS();
    }
}

现在我面临一个真正的问题:

Now I'm facing a real issue:

  • 如果我将 setAllowedOrigins("*") 保留在 WebSocketConfiguration 中,那么我将面临 validateAllowCredentials 中抛出的错误.
  • 如果我删除 setAllowedOrigins("*"),那么 SockJS 客户端将收到 WebSocket 握手期间的错误:意外响应代码:403.立>
  • If I keep the setAllowedOrigins("*") in the WebSocketConfiguration, then I will face the error thrown in validateAllowCredentials.
  • If I remove the setAllowedOrigins("*"), then the SockJS clients will recieve an Error during WebSocket handshake: Unexpected response code: 403.

我在编译时不知道原始域.

I don't know the origin domain at compile time.

我已经尝试过使用典型的将您在请求中找到的 origin 标头作为 allow-origin"返回的 Cors 过滤器和 Cors 配置;通常用于规避 allow-origin: "*" 的模式,但某些 SockJS 请求没有分配 origin 标头...

I already tried a Cors Filter and a Cors Configuration that use the typical "return the origin header you find in the request as allow-origin" pattern that is usually used to circumvent the allow-origin: "*", but some SockJS requests don't have an origin header assigned...

我该如何解决这个问题?

How do I fix this?

推荐答案

为了将来参考,随着最新的 spring 更新,现在有一个方法 setAllowedOriginPatterns 可以解决这个问题:

For future reference, with the latest spring updates, there's now a method setAllowedOriginPatterns that solves this:

 registry.addEndpoint("/socketendpoint").setAllowedOriginPatterns("*").withSockJS();

这篇关于如何在 Spring 5.3 及更高版本中使用 Stomp 和 SockJS 处理 CORS 起源?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-26 06:13