Spring框架为CORS提供了一流的支持。必须在Spring Security之前处理CORS,因为 pre-flight 请求将不包含任何cookie(即jsessionid)。如果请求不包含任何cookie,并且spring security是第一个,那么请求将确定用户没有经过身份验证(因为请求中没有cookie),并拒绝它。
确保首先处理CORS的最简单方法是使用 CorsFilter。用户可以使用以下方法提供 CorsConfigurationSource ,从而将CorsFilter与Spring Security 集成在一起:
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// by default uses a Bean by the name of corsConfigurationSource
.cors().and()
...
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
configuration.setAllowedMethods(Arrays.asList("GET","POST"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
或者适应基于XML的配置
<http>
<cors configuration-source-ref="corsSource"/>
...
</http>
<b:bean id="corsSource" class="org.springframework.web.cors.UrlBasedCorsConfigurationSource">
...
</b:bean>
如果你正在使用SpringMVC的CORS支持,那么可以省略指定 CorsConfigurationSource ,Spring Security 将利用提供给SpringMVC的CORS配置。
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// if Spring MVC is on classpath and no CorsConfigurationSource is provided,
// Spring Security will use CORS configuration provided to Spring MVC
.cors().and()
...
}
}
or in XML
<http>
<!-- Default to Spring MVC's CORS configuration -->
<cors />
...
</http>
