当我使用postman在本地测试我的应用程序时,它非常令人困惑,我能够访问任何/公共路径API,我做错了什么,但我发现我的代码真的没有做任何事情来保护cors,我遵循这个官方公会:
https://docs.spring.io/spring-security/reference/servlet/integrations/cors.html#page-title
public static final String[] URL_WHITELIST = new String[]{
"/static/**",
"/api/public/**"
};
public static final String[] URL_ANONYMOUS = new String[]{
"/api/auth/sign-in",
};
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable()
//...
.securityMatcher("/api/**")
.authorizeHttpRequests()
.requestMatchers(URL_ANONYMOUS).anonymous()
.requestMatchers(URL_WHITELIST).permitAll()
.anyRequest().authenticated();
return http.build();
}
@Bean
CorsConfigurationSource corsConfigurationSource(){
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList(https://example.com,https://admin.example.com));
configuration.setAllowedMethods(Arrays.asList("GET","POST","OPTIONS"));
configuration.setMaxAge(3600L);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
1条答案
按热度按时间w8f9ii691#
使用这个:
也更新您的
SecurityFilterChain
。不要禁用Cors。: