Spring Security 仍然返回HTTP403

nzk0hqpo  于 2021-07-12  发布在  Java
关注(0)|答案(2)|浏览(467)

情况
这是我的spring安全配置,当我从 localhost 应用程序运行于 localhost 我也是。

@Override
  protected void configure(HttpSecurity http) throws Exception {

    http.sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .authorizeRequests()
        .antMatchers("/client/**")
        .hasRole(HttpClientType.CLIENT.name())
        .antMatchers("/**")
        .hasRole(HttpClientType.USER.name())
        .anyRequest()
        .authenticated()
        .and()
        .exceptionHandling()
        .authenticationEntryPoint(restAuthenticationEntryPoint)
        .accessDeniedHandler(restAuthorizationEntryPoint)
        .and()
        .addFilterBefore(jwtTokenFilter, BasicAuthenticationFilter.class)
        .csrf().disable().cors().disable();

  }

问题
当我将应用程序部署到生产服务器并从远程主机创建请求时,每次 HTTP 403 .
p、 我以为问题会出在美国 CORS 以及 CSRF 但即使我禁用它也不起作用。

lstz6jyr

lstz6jyr1#

这个 cors().disable() 完全不禁用cors安全过滤器,但仅应用默认的cors配置。

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
    ...
    .cors().configurationSource(corsConfigurationSource())
    ...
}

@Bean
public CorsConfigurationSource corsConfigurationSource() {
    final CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(List.of(CorsConfiguration.ALL)); 
    configuration.setAllowedMethods(List.of(CorsConfiguration.ALL));
    configuration.setAllowedHeaders(List.of(CorsConfiguration.ALL));
    configuration.setAllowCredentials(true);

   // ideally CorsConfiguration.ALL should not be used in production

    configuration.addExposedHeader(HttpHeaders.AUTHORIZATION); // The headers you expose in response

    final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();       
    source.registerCorsConfiguration("/**", configuration);

    return source;
}
soat7uwm

soat7uwm2#

您是否在类中使用@enablewebsecurity来启用mvc安全设置?。使用.sessionregistry(sessionregistry())进行测试

@Bean
public SessionRegistry sessionRegistry() {
    return new SessionRegistryImpl();
}

相关问题