reactjs - 如何在反应和春季启动的axios发布请求中添加csrf令牌?
问题描述
我正在尝试在 Spring Boot 和 React 中使用 Spring Security JDBC 身份验证添加登录。我将 cors 过滤器配置添加到 spring 安全配置文件以使用 CORS。我可以在.csrf().disable()
禁用时登录。但是当我尝试使用 csrf 令牌发送相同的发布请求时,我收到错误“请求标头字段 x-xsrf-token 在预检响应中被 Access-Control-Allow-Headers 不允许”。我尝试了其他问题中提供的解决方案,但它对我不起作用。
响应头
HTTP/1.1 500
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: http://localhost:3000
Access-Control-Allow-Credentials: true
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
Transfer-Encoding: chunked
Date: Sun, 20 Jan 2019 06:23:40 GMT
Connection: close
请求头
POST /login HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Content-Length: 81
Access-Control-Allow-Origin: http://localhost:3000
Accept: application/json, text/plain, */*
Origin: http://localhost:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:3000/login
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=5B64C3749B3DCBBB5072B827D59E8418
表单数据
username: vk%40gmail.com
password: admin
_csrf: 30955a56-abb5-443a-a029-d6b371f16e5a
我发送 csrf 令牌以像这样对应用程序做出反应
CsrfToken token = (CsrfToken)request.getAttribute(CsrfToken.class.getName());
map.put("csrf", token.getToken());
这是 Cors 过滤器配置
@Bean
public CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("*"));
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"));
configuration.setAllowCredentials(true);
configuration.setAllowedHeaders(Arrays.asList("authorization", "Cache-Control", "content-type", "xsrf-token"));
configuration.setExposedHeaders(Arrays.asList("xsrf-token"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
这个 axios POST 请求
export const addProjectTask = (username,password,csrf,history) => async dispatch => {
axios.post('http://localhost:8080/login',
Qs.stringify({
username: username,
password: password,
}), {
headers: {
xsrfCookieName: 'XSRF-TOKEN',
xsrfHeaderName: 'X-XSRF-TOKEN',
"X-XSRF-TOKEN": csrf,
// Authorization: 'Bearer ' + csrf,
"Content-Type": "application/x-www-form-urlencoded"
},
credentials: 'include',
})
.then(function (response) {
console.log(response);
history.push("/");
})
.catch(function (error) {
console.log(error);
});
};
我在这里做错了什么?
解决方案
推荐阅读
- javascript - 使用 express 服务器在 React 应用程序中热重载
- scala - 如何模拟 .map 函数?
- laravel-5 - laravel v7.0 和 php v7.2 中的每个帖子路由都出现 419 错误
- javascript - [Vue 警告]:客户端渲染的虚拟 DOM 树与服务器渲染的内容不匹配。如何找到位置?
- xslt - 动态分组
- javascript - 如何在 php 类函数调用中使用 ajax 显示错误?
- javascript - 带有 dataTransfer 的拖放事件在移动视图中不起作用
- php - 在会话中保存用户信息不起作用.PHP
- javascript - AJAX 请求未显示在同一页面上
- c# - Kafka消费者和消费者构建编码的区别