我有一个完美的弹簧启动应用程序,它使用spring oAuth2。当我在主类上使用@EnableResourceServer时效果很好。 但为我在类
下实现的服务启用CORS @Configuration
public class CorsConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.cors();
}
@Bean
public CorsConfigurationSource corsConfigurationSource() {
final org.springframework.web.cors.CorsConfiguration configuration = new org.springframework.web.cors.CorsConfiguration();
configuration.setAllowedOrigins(ImmutableList.of("*"));
configuration.setAllowedMethods(ImmutableList.of("HEAD",
"GET", "POST", "PUT", "DELETE", "PATCH"));
configuration.setAllowCredentials(true);
configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
添加该类之后,似乎请求不会使用oAuth令牌进行验证。即使没有oAuth令牌,任何请求都可以访问服务。
我做错了什么? 不能同时使用两者吗?工作有什么特别的事吗? 有没有更好的方法来启用CORS这个。 (我试过@CrossOrigin注释它没有用)
答案 0 :(得分:3)
我不确定您为什么要使用WebSecurityConfigurerAdapter
我认为您的问题是您没有将您的电话转发给oAuth进行授权。试试这对我有用
@Configuration
public class CorsConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable().authorizeRequests().anyRequest().authenticated();
}
@Bean
public CorsFilter corsFilter() {
final org.springframework.web.cors.CorsConfiguration configuration = new org.springframework.web.cors.CorsConfiguration();
configuration.setAllowedOrigins(ImmutableList.of("*"));
configuration.setAllowedMethods(ImmutableList.of("HEAD",
"GET", "POST", "PUT", "DELETE", "PATCH"));
configuration.setAllowCredentials(true);
configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return new CorsFilter(source);
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId("resource");
}
}
此处resources.resourceId("resource");应该是您在oAuth服务器中使用的资源
类似这样的方法
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory().withClient("clinet").secret("secret").accessTokenValiditySeconds(3600).scopes("read", "write")
.authorizedGrantTypes("password", "refresh_token").resourceIds("resource");
}