当我使用来自Angular的HTTP POST方法执行请求时,响应没有set-cookie头,相反,当我使用HTTP GET方法执行请求时响应则带有set-cookie头。
我知道,当使用POST方法时,浏览器会自动发出预检OPTIONS请求。我正在寻找建议,在POST方法请求客户端获取set-cookie标头后,该方法已经可以与GET方法一起使用了吗?
我的Angular请求:
this.http.post<UserDto>("//localhost:8080/users", this.user, {withCredentials: true}).subscribe( user => {
alert("User created successfully.");
});;
这些是我得到的响应头:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: content-type
Access-Control-Allow-Methods: POST,PUT,DELETE,GET,OPTIONS
Access-Control-Allow-Origin: http://localhost:4200
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Length: 0
Date: Sun, 05 May 2019 09:22:55 GMT
Expires: 0
Pragma: no-cache
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
我的请求标头:
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
Access-Control-Request-Headers: content-type
Access-Control-Request-Method: POST
Connection: keep-alive
Host: localhost:8080
Origin: http://localhost:4200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
我的Spring Security配置:
@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.
cors().and().
csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and().addFilterBefore(
new StatelessCSRFFilter(), CsrfFilter.class);
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(ImmutableList.of("http://localhost:4200"));
configuration.setAllowedMethods(Arrays.asList("POST","PUT","DELETE","GET","OPTIONS"));
configuration.setAllowCredentials(true);
configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
我找到了这样的建议:
“通过添加针对没有凭据的飞行前OPTIONS请求的响应过滤器,我可以使其工作。
<security-constraint>
<display-name>No check for options</display-name>
<web-resource-collection>
<web-resource-name>All Access</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
我不确定春季如何实现该解决方案。
已经成功在SpringFramework后端正确设置了CORS配置,因为方法可以按预期成功,并且Angular确实为GET请求设置了cookie。如果没有HTTP.GET请求,只有POST操作才能成功。