关于Springboot Security oauth2使用Cors问题(登出无效)
程序员文章站
2022-05-03 09:25:49
...
前言
以下是登出遇到问题发现http.cors()不好使,创建CorsFilter也不好使。
: /logout at position 1 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
: /logout at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
: /logout at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter'
: /logout at position 4 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
需要加上http.cors()才会有CorsFilter,并且CorsFilter会在LogoutFilter之前。如果没有CorsFilter或者CorsFilter不在LogoutFilter之前就会出现报错。
ResourceServerConfig中加上http.cors()是会在FilterChains中第二个的DefaultSecurityFilterChain里面的LogoutFilter之前产生CorsFilter,但是第一个DefaultSecurityFilterChain始终没有CorsFilter。
AuthorizationServerSecurityConfiguration order(0),所以第一个DefaultSecurityFilterChain来自于此,但是没有加入http.cors(),所以找到原因所在。
解决方案一
都加上
ResourceServerConfig:
@Override
public void configure(HttpSecurity http) throws Exception {
http.cors();
//...
}
@Bean
public CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("*"));
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "HEAD", "DELETE", "OPTION"));
configuration.setAllowedHeaders(Arrays.asList("*"));
configuration.addExposedHeader("Authorization");
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
@Bean
public CorsFilter corsFilter() {
return new CorsFilter(corsConfigurationSource());
}
两个都加上
就会下如下图这样,除了在springSecurityFilterChain下面有corsFilter,也会在里面有。
解决方案二
@Configuration
public class CorsFilterConfig {
@Bean
public CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("*"));
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "HEAD", "DELETE", "OPTION"));
configuration.setAllowedHeaders(Arrays.asList("*"));
configuration.addExposedHeader("Authorization");
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
@Bean
public CorsFilter corsFilter() {
return new DefaultCorsFilter(corsConfigurationSource());
}
@Data
static class DefaultCorsFilter extends CorsFilter implements OrderedFilter {
/**
* Constructor accepting a {@link CorsConfigurationSource} used by the filter
* to find the {@link CorsConfiguration} to use for each incoming request.
*
* @param configSource
* @see UrlBasedCorsConfigurationSource
*/
public DefaultCorsFilter(CorsConfigurationSource configSource) {
super(configSource);
}
@Override
public int getOrder() {
return -104;
}
}
}
这样直接指定corsFilter在springSecurityFilterChain之前
(OrderedRequestContextFilter是-105)
解决方案三
AuthorizationServerConfig:
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) {
oauthServer.addTokenEndpointAuthenticationFilter(new CorsFilter(corsConfigurationSource()));
//...
}
ResourceServerConfig
@Override
public void configure(HttpSecurity http) throws Exception {
http.cors();
//...
}
还有很多方式,以上参考