Spring Security 如何在Sping Boot Auth Server上正确配置CORS?

e4yzc0pl  于 2023-11-19  发布在  Spring
关注(0)|答案(1)|浏览(149)

我在我们的Sping Boot auth服务器上获得了一个基本的Vue.js应用程序用于身份验证。下面是执行完整登录的代码(重定向到/login,请求到token端点等):

  1. <template>
  2.     <div class="h-screen w-screen flex flex-col items-center justify-center">
  3.         <p class="text-center mb-5">You need to be logged in<br>to access the admin dashboard.</p>
  4.         <button @click.prevent="startAuthFlow" class="bg-blue-500 text-white h-8 w-36 rounded shadow">Login</button>
  5.     </div>
  6. </template>
  8. <script setup>
  9. import { config 
  10. } from "./../common/config.js";
  11. import { parseQueryString, generateRandomString } from "./../utils/authHelpers.js";
  12. import router from './../router';
  13. import { useAuthStore } from './../stores/auth.js';
  15. const auth = useAuthStore();
  17. if (auth.access_token) {
  18.     router.push({ name: 'home', replace: true });
  19. }
  21. const startAuthFlow = () => {
  22.     console.log("Starting auth flow...");
  24.     // Create and store a random "state" value
  25.     var state = generateRandomString();
  26.     localStorage.setItem("pkce_state", state);
  27.     console.log(state);
  29.     // Build the authorization URL
  30.     var url = config.authorization_endpoint
  31.         + "?response_type=code"
  32.         + "&client_id=" + encodeURIComponent(config.client_id)
  33.         + "&state=" + encodeURIComponent(state)
  34.         + "&redirect_uri=" + encodeURIComponent(config.redirect_uri);
  36.     // Redirect to the authorization server
  37.     window.location = url;
  38. };
  40. // Handle the redirect back from the authorization server and
  41. // get an access token from the token endpoint
  42. var q = parseQueryString(window.location.search.substring(1));
  44. // Check if the server returned an error string
  45. if (q.error) {
  46.     alert("Error returned from authorization server: " + q.error);
  47. }
  49. // If the server returned an authorization code, attempt to exchange it for an access token
  50. if (q.code) {
  51.     // Verify state matches what we set at the beginning
  52.     if (localStorage.getItem("pkce_state") != q.state) {
  53.         alert("Invalid state");
  54.     } else {
  55.         // Base64 encode client credentials
  56.         const base64Credentials = btoa(config.client_id + ':' + config.client_secret);
  58.         // Build the token URL
  59.         var url = config.token_endpoint
  60.             + "?grant_type=authorization_code"
  61.             + "&client_id=" + encodeURIComponent(config.client_id)
  62.             + "&code=" + q.code
  63.             + "&redirect_uri=" + encodeURIComponent(config.redirect_uri);
  65.         // Send POST request to token endpoint to retrieve access token
  66.         fetch(url, {
  67.             method: "POST",
  68.             headers: {
  69.                 "Authorization": "Basic " + base64Credentials,
  70.                 'Content-Type': 'application/x-www-form-urlencoded',
  71.             }
  72.         }).then(response => response.json())
  73.             .then(result => {
  74.                 console.log(result);
  75.                 // Extracting tokens from result
  76.                 const { access_token, refresh_token } = result;
  78.                 // Save login to pinia and tokens to cookies
  79.                 auth.login({ access_token, refresh_token, user: null });
  81.                 router.push({ name: 'home', replace: true });
  82.             })
  83.             .catch(error => console.log('error', error));
  84.     }
  86.     // Clean up local storage
  87.     localStorage.removeItem("pkce_state");
  88. }
  90. </script>

字符串
当使用一个浏览器与停用的安全功能(不检查CORS),这完全正常工作。登录以及其他请求。
现在,当使用普通浏览器时,重定向到/login工作正常。但是当向token端点发送请求时,出现以下错误:
访问"http://localhost:8081/oauth2/token?grant_type=authorization_code&client_id=core-server&code= Ps19 gIUUePThDLr 15 xX 0 U-UWEMD 0 HgHfyAO CcZjGmfXUqED 80 GOMLBykuldNrL 7 k23 dxEklcP 49 hX_kGigKsZjcFCTS 93 xU 7 kwdwAIm 6-e IcIk_ayN5i0mZPLeg_bDYx&redirect_uri =http%3A%2F%2Flocalhost%3A5173%2F'从原点' http://localhost:CORS策略已阻止“服务器5173”:对预检请求的响应未通过访问控制检查:请求的资源上不存在“Occup-Control-Allow-Origin”标头。如果不透明响应满足您的需求,请将请求的模式设置为“no-cors”以在禁用CORS的情况下获取资源。
在CORS停用的浏览器中,我得到以下标题:

  1. Vary: Origin 
  2. Vary: Access-Control-Request-Method 
  3. Vary: Access-Control-Request-Headers


下面是我的SecurityConfig文件以及CorsConfig

  1. @Configuration
  2. public class
  3. CorsConfig {
  5.     private static final Logger logger = LoggerFactory.getLogger(CorsConfig.class);
  7.     /**
  8.      * Cors configuration
  9.      */
  10.     @Bean(name="corsConfigurationSource")
  11.     CorsConfigurationSource corsConfigurationSource() {
  13.         logger.info("Creating corsConfigurationSource bean");
  15.         CorsConfiguration configuration = new CorsConfiguration();
  16.         configuration.setAllowedOrigins(List.of(
  17.                 "http://localhost:5173",
  18.                 "http://192.168.2.144:5173"
  19.         ));
  21.         configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE"));
  22.         configuration.setAllowCredentials(true);
  23.         configuration.setAllowedHeaders(List.of(
  24.                 "Authorization",
  25.                 "Content-Type",
  26.                 "Accept",
  27.                 "Origin",
  28.                 "X-Requested-With"
  29.         ));
  30.         configuration.setExposedHeaders(List.of(
  31.                 "Cache-Control",
  32.                 "Content-Language",
  33.                 "Content-Type",
  34.                 "Expires",
  35.                 "Last-Modified",
  36.                 "Pragma"
  37.         ));
  38.         configuration.setMaxAge(3600L);
  39.         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
  40.         source.registerCorsConfiguration("/**", configuration);
  41.         return source;
  42.     }
  43. }


  1. @Configuration
  2. @EnableWebSecurity
  3. public class SecurityConfig {
  5.     // claim names used in the bearer token
  6.     private static final String ROLES_CLAIM = "user-authorities";
  7.     private static final String SCOPES_CLAIM = "scope";
  9.     private static final Logger logger = LoggerFactory.getLogger(SecurityConfig.class);
  11.     @Bean
  12.     @Order(1)
  13.     public CorsFilter corsFilter(CorsConfigurationSource corsConfigurationSource) {
  14.         logger.info("Creating corsFilter bean");
  15.         return new CorsFilter(corsConfigurationSource);
  16.     }
  18.     /**
  19.      * Configures the authorization server endpoints.
  20.      */
  21.     @Bean
  22.     @Order(2)
  23.     public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http, RegisteredClientRepository clientRepository) throws Exception {
  25.         logger.info("Creating authorizationServerSecurityFilterChain bean");
  27.         OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
  29.         http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
  30.                 .registeredClientRepository(clientRepository) // autowired from ClientConfig.java
  31.                 .oidc(Customizer.withDefaults());
  33.         http.exceptionHandling((exceptions) -> exceptions
  34.             .defaultAuthenticationEntryPointFor(
  35.                 new LoginUrlAuthenticationEntryPoint("/login"),
  36.                 new MediaTypeRequestMatcher(MediaType.TEXT_HTML)
  37.             )
  38.         );
  40.         http.oauth2ResourceServer((resourceServer) -> resourceServer
  41.                 .jwt(Customizer.withDefaults()));
  43.         http.csrf(AbstractHttpConfigurer::disable);
  45.         return http.build();
  46.     }
  48.     /**
  49.      * Secures pages used to log in, log out, register etc.
  50.      * Sets custom login menu.
  51.      */
  52.     @Bean
  53.     @Order(3)
  54.     public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
  55.         http.securityMatcher(new NegatedRequestMatcher(new AntPathRequestMatcher("/admin/**")));
  57.         logger.info("Creating defaultSecurityFilterChain bean");
  59.         http.authorizeHttpRequests((authorize) ->
  60.                 authorize
  61.                         .requestMatchers(new AntPathRequestMatcher("/register")).permitAll()
  62.                         .requestMatchers(new AntPathRequestMatcher("/recover/**")).permitAll()
  63.                         .requestMatchers(new AntPathRequestMatcher("/error/**")).permitAll()
  64.                         .requestMatchers(new AntPathRequestMatcher("/css/**")).permitAll()
  65.                         .requestMatchers(new AntPathRequestMatcher("/js/**")).permitAll()
  66.                         .requestMatchers(new AntPathRequestMatcher("/favicon.ico")).permitAll()
  67.                         .anyRequest().authenticated());
  69.         http.oauth2ResourceServer((resourceServer) -> resourceServer
  70.                 .jwt(Customizer.withDefaults()));
  72.         // set custom login form
  73.         http.formLogin(form -> {
  74.             form.loginPage("/login");
  75.             form.permitAll();
  76.         });
  78.         http.logout(conf -> {
  79.             // default logout url
  80.             conf.logoutSuccessHandler(logoutSuccessHandler());
  81.         });
  83.         // Temp disable CSRF
  84.         http.csrf(AbstractHttpConfigurer::disable);
  85.         http.cors(AbstractHttpConfigurer::disable);
  87.         return http.build();
  88.     }
  90.     /**
  91.      * Secures admin endpoints with a bearer token. Does not use session authentication.
  92.      */
  93.     @Bean
  94.     @Order(4)
  95.     public SecurityFilterChain adminResourceFilterChain(HttpSecurity http) throws Exception {
  97.         logger.info("Creating adminResourceFilterChain bean");
  99.         // handle out custom endpoints in this filter chain
  100.         http.authorizeHttpRequests((authorize) ->
  101.                 authorize
  102.                         .requestMatchers(new AntPathRequestMatcher("/admin/**")).hasRole("ADMIN")
  103.                         .anyRequest().authenticated());
  105.         http.sessionManagement(conf -> conf.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
  107.         http.oauth2ResourceServer((resourceServer) -> resourceServer
  108.                 .jwt(Customizer.withDefaults()));
  110.         // Temp disable CSRF
  111.         http.csrf(AbstractHttpConfigurer::disable);
  112.         http.cors(AbstractHttpConfigurer::disable);
  114.         return http.build();
  115.     }
  117. // ...


我尝试了很多不同的方法:

  • 更改了过滤器链(例如,在每个安全Bean的顶部包含CORS配置,而不是Order(1)
  • 接着,我们一个接一个地实现了CORS Tutorial
  • 尝试手动设置请求头 (这不是长期解决方案)
  • 尝试模式匹配以暂时允许每个传入请求(不起作用,因此这显然是CORS配置本身的问题)
spring-security

1条答案

按热度按时间
zwghvu4y

zwghvu4y1#

SsinglePageAapplications(Angular,React,Vue.js等)以及移动的应用程序不应该是OAuth2客户端。这样的客户端是“公共”客户端,现在不鼓励这样做。

您的Vue应用程序应该通过使用OAuth2登录的BFF上的会话进行保护,并使用包含访问令牌的授权头来替换会话cookie。实现这一点的最简单方法可能是使用spring-cloud-gatewayTokenRelay过滤器以及spring-boot-starter-oauth2-clientoauth2Login,就像我在this tutorial中所做的那样。本教程中的前端使用Angular,但是登录和注销是普通的Typsecript代码,很容易移植到React或Vue。
除了通过会话保护前端之外,网关还可以消除对大部分CORS配置的需求:从浏览器的Angular 来看,通过网关路由的所有请求都具有相同的起源(网关)。
在链接的教程中:

  • 所有以/ui/开始的路径发送到网关(比如说https://localhost:8080 ui/ui/)的请求都被路由到为UI资产服务的对象(在Angular dev服务器的情况下,类似于https://localhost:4200 ui/ui/,但也可能是Vue dev服务器,包含任何内容的NGINX示例,等等)
  • 所有通过网关的请求,其路径以/bff/v1/开始,都被路由到资源服务器(类似于https://localhost:/bff/v1//)

在上面的配置中,如果用户将其浏览器指向https://localhost:web 8080脚本/ui/,并且如果SPA被配置为将REST请求发送到https://localhost:web 8080脚本/bff/v1/ui *,则从浏览器的Angular 来看,对UI和API的请求都以https://localhost:web 8080脚本 * 为来源。
仍然在本教程中,授权服务器不通过网关路由,需要一些CORS配置才能允许以网关为源的请求。原因是,在使用OAuth2时,最常见的情况是您对SingleSignOn感兴趣:在不同的应用程序之间共享相同的授权服务器,以保存用户在使用同一浏览器时多次认证的需要,这需要使用相同的cookie,因此使用相同的主机和端口(浏览器在https://oidc.c4-soft.com上联系授权服务器),无论BFF示例如何(而不是像教程BFF中的https://localhost:8080/auth这样的东西)。
如果使用网关作为OAuth2机密客户端,您可以删除对CORS配置的需求:

  • 从资源服务器(如果您通过网关路由UI和REST请求)
  • 从授权服务器(如果您通过网关路由UI和授权服务器,但代价是失去SSO)
展开查看全部
赞(0)分享  回复(0)举报  2023-11-19
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com