我正在Web安全配置中启用CORS:
@Configuration
@EnableWebSecurity
public class MyWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().and()
.csrf().disable()
.authorizeRequests()
.antMatchers( "/forms/**").permitAll()
.antMatchers( "/member/login").permitAll()
.antMatchers( "/member/signup").permitAll()
.anyRequest().authenticated()
.and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/member/logout")).logoutSuccessHandler((new HttpStatusReturningLogoutSuccessHandler(HttpStatus.OK)))
.and().requestCache().requestCache(new NullRequestCache());
}
@Bean
public JsonUsernamePasswordAuthenticationFilter authenticationFilter() throws Exception {
JsonUsernamePasswordAuthenticationFilter authenticationFilter = new JsonUsernamePasswordAuthenticationFilter();
authenticationFilter.setAuthenticationSuccessHandler(authenticationSuccessHandler());
authenticationFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
authenticationFilter.setAuthenticationManager(authenticationManagerBean());
authenticationFilter.setFilterProcessesUrl("/member/login");
authenticationFilter.setPasswordParameter("password");
authenticationFilter.setUsernameParameter("email");
authenticationFilter.setPostOnly(true);
return authenticationFilter;
}
}
还有JsonUsernamePasswordAuthenticationFilter:
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
if(CorsUtils.isPreFlightRequest(request) || request.getMethod().equals(HttpMethod.OPTIONS.name())) response.setHeader("Allow", HttpMethod.POST.name());
if (this.postOnly && !request.getMethod().equals("POST")) {
return null;
} else {
MemberLogin login = getAuthenticationRequest(request);
if (login.getEmail() == null) login.setEmail("");
if (login.getPassword() == null) login.setPassword("");
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(login.getEmail(), login.getPassword());
setDetails(request, token);
return getAuthenticationManager().authenticate(token);
}
}
当我在模拟器中使用ionic cordova emulate -l -c ios运行项目时,我的POST请求/members/login(身份验证过滤器)失败,并出现以下错误,而POST请求/members/signup(控制器端点)成功:
{"headers":{"normalizedNames":{},"lazyUpdate":null,"headers":{}},"status":0,"statusText":"Unknown Error","url":null,"ok":false,"name":"HttpErrorResponse","message":"Http failure response for (unknown url): 0 Unknown Error","error":{"isTrusted":true}}
并且来自Web Inspector的错误如下:
[Error] Origin http://172.20.10.2:8100 is not allowed by Access-Control-Allow-Origin.
[Error] XMLHttpRequest cannot load http://172.20.10.2:8080/member/login due to access control checks.
[Error] Failed to load resource: Origin http://172.20.10.2:8100 is not allowed by Access-Control-Allow-Origin. (login, line 0)
OPTIONS请求响应的标题如下:
Allow →POST
X-Content-Type-Options →nosniff
X-XSS-Protection →1; mode=block
Cache-Control →no-cache, no-store, max-age=0, must-revalidate
Pragma →no-cache
Expires →0
X-Frame-Options →DENY
Content-Length →0
Date →Fri, 05 Apr 2019 11:53:58 GMT
和POST请求响应的标头是:
X-Content-Type-Options →nosniff
X-XSS-Protection →1; mode=block
Cache-Control →no-cache, no-store, max-age=0, must-revalidate
Pragma →no-cache
Expires →0
X-Frame-Options →DENY
Access-Control-Expose-Headers →*
Access-Control-Allow-Origin →*
x-auth-token →b5f39afe-ad54-40b1-a690-0c79f800abd6
Content-Length →0
Date →Fri, 05 Apr 2019 12:08:30 GMT
与请求/member/signup的标头相同。
This指出--livereload仍会启动具有原始请求的Web服务器,因此可能会遇到CORS问题,但是如果我在没有它的情况下运行,则会发生事件(实际上是打包应用程序并在我的服务器中分发组织)我的请求仍然失败(使用ionic cordova build ios和来自XCode项目)。
所以我的问题是:
参考: