关于SpringBoot Security oauth2使用Cors问题(登出无效)

前言

以下是登出遇到问题发现http.cors()不好使,创建CorsFilter也不好使。

 : /logout at position 1 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
 : /logout at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
 : /logout at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter'
 : /logout at position 4 of 10 in additional filter chain; firing Filter: 'LogoutFilter'

需要加上http.cors()才会有CorsFilter,并且CorsFilter会在LogoutFilter之前。如果没有CorsFilter或者CorsFilter不在LogoutFilter之前就会出现报错。

ResourceServerConfig中加上http.cors()是会在FilterChains中第二个的DefaultSecurityFilterChain里面的LogoutFilter之前产生CorsFilter,但是第一个DefaultSecurityFilterChain始终没有CorsFilter。

AuthorizationServerSecurityConfiguration order(0),所以第一个DefaultSecurityFilterChain来自于此,但是没有加入http.cors(),所以找到原因所在。

解决方案一

都加上

ResourceServerConfig:
@Override
   public void configure(HttpSecurity http) throws Exception {
	http.cors();
	//...
}

@Bean
public CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Arrays.asList("*"));
    configuration.setAllowedMethods(Arrays.asList("GET", "POST", "HEAD", "DELETE", "OPTION"));
    configuration.setAllowedHeaders(Arrays.asList("*"));
    configuration.addExposedHeader("Authorization");
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}

@Bean
public CorsFilter corsFilter() {
    return new CorsFilter(corsConfigurationSource());
}

两个都加上
就会下如下图这样,除了在springSecurityFilterChain下面有corsFilter,也会在里面有。
关于SpringBoot Security oauth2使用Cors问题(登出无效)_第1张图片

关于SpringBoot Security oauth2使用Cors问题(登出无效)_第2张图片

解决方案二

@Configuration
public class CorsFilterConfig {

    @Bean
    public CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("*"));
        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "HEAD", "DELETE", "OPTION"));
        configuration.setAllowedHeaders(Arrays.asList("*"));
        configuration.addExposedHeader("Authorization");
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }

    @Bean
    public CorsFilter corsFilter() {
        return new DefaultCorsFilter(corsConfigurationSource());
    }

    @Data
    static class DefaultCorsFilter extends CorsFilter implements OrderedFilter {

        /**
         * Constructor accepting a {@link CorsConfigurationSource} used by the filter
         * to find the {@link CorsConfiguration} to use for each incoming request.
         *
         * @param configSource
         * @see UrlBasedCorsConfigurationSource
         */
        public DefaultCorsFilter(CorsConfigurationSource configSource) {
            super(configSource);
        }

        @Override
        public int getOrder() {
            return -104;
        }
    }

}

这样直接指定corsFilter在springSecurityFilterChain之前
(OrderedRequestContextFilter是-105)

解决方案三

AuthorizationServerConfig:
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) {
	oauthServer.addTokenEndpointAuthenticationFilter(new 	CorsFilter(corsConfigurationSource()));
		//...
}

ResourceServerConfig
@Override
public void configure(HttpSecurity http) throws Exception {
	http.cors();
	//...
}

还有很多方式,以上参考

你可能感兴趣的:(springboot)