cordova - 带有 Spring Boot 的 Ionic 3 中的 CORS 问题
问题描述
我在网络安全配置中启用 CORS:
@Configuration
@EnableWebSecurity
public class MyWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().and()
.csrf().disable()
.authorizeRequests()
.antMatchers( "/forms/**").permitAll()
.antMatchers( "/member/login").permitAll()
.antMatchers( "/member/signup").permitAll()
.anyRequest().authenticated()
.and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/member/logout")).logoutSuccessHandler((new HttpStatusReturningLogoutSuccessHandler(HttpStatus.OK)))
.and().requestCache().requestCache(new NullRequestCache());
}
@Bean
public JsonUsernamePasswordAuthenticationFilter authenticationFilter() throws Exception {
JsonUsernamePasswordAuthenticationFilter authenticationFilter = new JsonUsernamePasswordAuthenticationFilter();
authenticationFilter.setAuthenticationSuccessHandler(authenticationSuccessHandler());
authenticationFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
authenticationFilter.setAuthenticationManager(authenticationManagerBean());
authenticationFilter.setFilterProcessesUrl("/member/login");
authenticationFilter.setPasswordParameter("password");
authenticationFilter.setUsernameParameter("email");
authenticationFilter.setPostOnly(true);
return authenticationFilter;
}
}
并且JsonUsernamePasswordAuthenticationFilter
:
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
if(CorsUtils.isPreFlightRequest(request) || request.getMethod().equals(HttpMethod.OPTIONS.name())) response.setHeader("Allow", HttpMethod.POST.name());
if (this.postOnly && !request.getMethod().equals("POST")) {
return null;
} else {
MemberLogin login = getAuthenticationRequest(request);
if (login.getEmail() == null) login.setEmail("");
if (login.getPassword() == null) login.setPassword("");
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(login.getEmail(), login.getPassword());
setDetails(request, token);
return getAuthenticationManager().authenticate(token);
}
}
当我ionic cordova emulate -l -c ios
在模拟器中运行我的项目时,我POST
对/members/login
(身份验证过滤器)的请求失败并出现以下错误,而对(控制器端点)的POST
请求成功:/members/signup
{"headers":{"normalizedNames":{},"lazyUpdate":null,"headers":{}},"status":0,"statusText":"Unknown Error","url":null,"ok":false,"name":"HttpErrorResponse","message":"Http failure response for (unknown url): 0 Unknown Error","error":{"isTrusted":true}}
来自 Web Inspector 的错误如下:
[Error] Origin http://172.20.10.2:8100 is not allowed by Access-Control-Allow-Origin.
[Error] XMLHttpRequest cannot load http://172.20.10.2:8080/member/login due to access control checks.
[Error] Failed to load resource: Origin http://172.20.10.2:8100 is not allowed by Access-Control-Allow-Origin. (login, line 0)
请求响应的标头OPTIONS
如下:
Allow →POST
X-Content-Type-Options →nosniff
X-XSS-Protection →1; mode=block
Cache-Control →no-cache, no-store, max-age=0, must-revalidate
Pragma →no-cache
Expires →0
X-Frame-Options →DENY
Content-Length →0
Date →Fri, 05 Apr 2019 11:53:58 GMT
请求响应的标头POST
是:
X-Content-Type-Options →nosniff
X-XSS-Protection →1; mode=block
Cache-Control →no-cache, no-store, max-age=0, must-revalidate
Pragma →no-cache
Expires →0
X-Frame-Options →DENY
Access-Control-Expose-Headers →*
Access-Control-Allow-Origin →*
x-auth-token →b5f39afe-ad54-40b1-a690-0c79f800abd6
Content-Length →0
Date →Fri, 05 Apr 2019 12:08:30 GMT
这与请求的标头相同/member/signup
。
这表明--livereload
仍然会启动一个带有来源请求的 Web 服务器,因此可能会遇到 CORS 问题,但是当我在没有它的情况下运行时(实际上是打包应用程序并在我的组织内分发)我的请求仍然失败(使用ionic cordova build ios
和来自 XCode 项目)。
所以我的问题是:
- 为什么即使我打包应用程序并在没有 livereload 的情况下分发我的请求也会失败(我的请求的来源不应该是空的吗?)
- 如何为我的身份验证过滤器启用 CORS?
参考:
解决方案
推荐阅读
- javascript - 打开 Bootbox 警报 - 循环遍历字符串数组并显示复选框列表
- javascript - 当父 Div 悬停时更改子 Div 的背景颜色
- kubernetes - 如何删除所有资源,包括特定部署的服务、部署、pod、副本集,不包括 kubernetes 中的特定资源
- javascript - 如何使用 python 抓取 MSN 股票历史?
- vowpalwabbit - 大众语境强盗:历史数据和在线学习
- python - Tensorflow 2:如何使用 AdamOptimizer.minimize() 更新权重
- azure - 无法将 dotnet core web api 应用发布到 Azure AppService
- windows - winget 源代码库的结构
- c# - '访问被拒绝' IIS 杀死 Windows 进程
- java - 是否缺少正确对齐我的输出的值?