Allow OPTIONS HTTP Method for oauth/token request
I\'m trying to enable oauth2 token fetching for my angular application. My configuration is working fine (authentication is working correctly for all requests, token fetchin
-
I was using the solution proposed by idursun. The OPTION call started to work, but still had problems with Access-Control-Allow-Origin.
This filter implementation definitively worked for me:
Standalone Spring OAuth2 JWT Authorization Server + CORS
讨论(0) -
Same problem with Spring-Boot 1.4.7.RELEASE
My
WebSecurityConfigurerAdapterwas usingSecurityProperties.ACCESS_OVERRIDE_ORDERso, selected answer did not work.@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) public class AuthServerSecurityConfig extends WebSecurityConfigurerAdapterThus, I added the following filter configuration with preceding order:
@Bean public FilterRegistrationBean corsFilter() { FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(corsConfigurationSource())); bean.setOrder(SecurityProperties.DEFAULT_FILTER_ORDER); return bean; } @Bean public CorsConfigurationSource corsConfigurationSource() { UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); CorsConfiguration config = new CorsConfiguration(); config.setAllowCredentials(true); config.addAllowedOrigin("*"); config.addAllowedHeader("*"); config.addAllowedMethod("*"); source.registerCorsConfiguration("/**", config); return source; }and it got the job done.
Note: equivalent result can be achieved with a
javax.servlet.Filterbean with@Order(SecurityProperties.DEFAULT_FILTER_ORDER)annotation as below:@Component @Order(SecurityProperties.DEFAULT_FILTER_ORDER) public class CorsFilter implements Filter { @Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { final HttpServletResponse response = (HttpServletResponse) res; response.setHeader("Access-Control-Allow-Origin" , "*" ); response.setHeader("Access-Control-Allow-Methods" , "POST, PUT, GET, OPTIONS, DELETE" ); response.setHeader("Access-Control-Allow-Headers" , "Authorization, Content-Type" ); response.setHeader("Access-Control-Max-Age" , "3600" ); if("OPTIONS".equalsIgnoreCase(((HttpServletRequest) req).getMethod())) { response.setStatus(HttpServletResponse.SC_OK); } else { chain.doFilter(req, res); } } // ... }讨论(0) -
I just add
@Order(Ordered.HIGHEST_PRECEDENCE)in
public class OAuth2SecurityConfig extends WebSecurityConfigurerAdapter {....}and config the support of spring
@Bean public CorsConfigurationSource corsConfigurationSource() { CorsConfiguration configuration = new CorsConfiguration(); configuration.setAllowedOrigins(Arrays.asList("*")); configuration.setAllowedMethods(Arrays.asList("*")); configuration.setAllowedHeaders(Arrays.asList("*")); UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/**", configuration); return source; }Worked for me.
讨论(0) -
The following works for Spring Boot 2. It does not pick up other CORS configurations otherwise.
@Configuration @EnableAuthorizationServer public class OAuth2AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter { // this is a Spring ConfigurationProperty use any way to get the CORS values @Autowired private CorsProperties corsProperties; // other things //... @Override public void configure( AuthorizationServerEndpointsConfigurer endpoints) { endpoints .tokenStore(tokenStore()) .authenticationManager(authenticationManager); if (corsProperties.getAllowedOrigins() != null) { Map<String, CorsConfiguration> corsConfigMap = new HashMap<>(); Arrays.asList(corsProperties.getAllowedOrigins().split(",")).stream() .filter(StringUtils::isNotBlank).forEach(s -> { CorsConfiguration config = new CorsConfiguration(); config.setAllowCredentials(true); config.addAllowedOrigin(s.trim()); if (corsProperties.getAllowedMethods() != null) { config.setAllowedMethods(Arrays.asList(corsProperties.getAllowedMethods().split(","))); } if (corsProperties.getAllowedHeaders() != null) { config.setAllowedHeaders(Arrays.asList(corsProperties.getAllowedHeaders().split(","))); } // here the /oauth/token is used corsConfigMap.put("/oauth/token", config); }); endpoints.getFrameworkEndpointHandlerMapping() .setCorsConfigurations(corsConfigMap); } } }And in addition the already mentioned allowance of the OPTIONS request:
@Order(-1) @Configuration public class MyWebSecurity extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http authorizeRequests() .antMatchers("/**/oauth/token").permitAll() .and().httpBasic().realmName(securityRealm) // would throw a 403 otherwise .and().csrf().disable() // optional, but with a token a sesion is not needed anymore .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); } }讨论(0) -
@EnableAuthorizationServeris adding http security configuration for endpoints like/oauth/token,/oauth/token_keyetc at order 0. So what you should do is to define a http security rule for/oauth/tokenendpoint only for the OPTIONS http method which is at a higher order.Something like this:
@Order(-1) @Configuration public class MyWebSecurity extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers(HttpMethod.OPTIONS, "/oauth/token").permitAll() } }讨论(0)
加载中...
- 热议问题