Request 'OPTIONS /logout' doesn't match 'POST /logout
I am studying Spring Cloud and Spring OAuth2 by decomposing the three interconnected apps in this GitHub sample. When I open up the /oauth/revoke-token endpoin
-
Leaving aside the question of why you might want to do this and whether or not it is a good idea: your JS client is POSTing to an endpoint on another server, so you face two problems: Cross-Origin Resource Sharing (CORS) and Cross Site Request Forgery (CSRF), both of which are locked down by default in your Auth Server because it is using Spring MVC and Spring Security.
The CORS problem can be worked around in various ways, including the approach that you took, which was to punch a hole through the security configuration using a request matcher are
permitAll(). There is a far better integration between Spring MVC and Spring Security usingHttpSecurity.cors(). User guide link: http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#cors. Simple example from the tutorial (vanilla resource server):@Override protected void configure(HttpSecurity http) throws Exception { http.cors() ...; }What this does is switch on integration with the MVC declared endpoints with
@CrossOrigin. Actually the endpoint you are trying to POST to is not one that you wrote, and it's not a Spring MVC endpoint, so you might have to usecors().configurationSource(...)instead.The CSRF problem is also easy to solve in various different ways. The tutorial where you started has explicit examples showing how to do it for Angular JS (but not in the app you are using because the tutorial is not about logging out from the SSO provider). In that case we use the
HttpSecurity.csrf()features. User guide link: http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf. Simple example from the tutorial in the UI app:@Override public void configure(HttpSecurity http) throws Exception { http ... .csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); }讨论(0)
加载中...
- 热议问题