AngularJS & Spring Security with ROLE_ANONYMOUS still returns 401

问题

We are building an Angular Material application, consuming a RESTful Spring MVC API, with Spring Security & OAUTH2.

For testing purpose, we gave ROLE_ANONYMOUS access to our /users endpoint:

<intercept-url pattern="/users" method="POST" access="ROLE_ANONYMOUS"/>

But when we try to send a JSON by POST, we still get a 401 response from the server.

• This is not happening with non-angular clients like Postman.
• If we disable the Spring Security filter, everything works fine.
• GET requests to the same endpoint also work fine.

This is our app.config:

  angular.module('App')
    .constant('RESOURCES', (function () {
                var resource = 'http://localhost:8080';
                return {
                  USERS: resource + '/users'
                }
              })());

And the factory doing the POST method:

  app.factory('LoginUser', ['RESOURCES', '$resource', function (RESOURCES, $resource) {
    return $resource(RESOURCES.USERS, null, {
                       add: {method: 'POST'}
                     });
  }]);

And the signup method in the controller:

  function signup(user) {
    LoginUser.add({}, JSON.stringify(user));
  }

We have the SimpleCORSFilter setup in the server following the Spring guide.

You can see the comparison between the postman POST and the AngularJS POST here:

The header marked in red is a custom one we have to add in Postman in order to avoid a 415 unsupported media type.

We tried to put custom headers in the POST request in AngularJS, but it doesn't seem to be working:

.config(function ($httpProvider) {
    $httpProvider.defaults.headers.put['Content-Type'] = $httpProvider.defaults.headers.post['Content-Type'] =
        'application/json; charset=UTF-8';
});

回答1:

Ok, after reviewing the screenshot, we noticed the method was OPTIONS instead of POST.

The problem was not in the headers (we were checking those so much that we weren't seeing the obvious), but in the pre-flight request OPTIONS due to CORS. Here's a nice article about it. Our Spring Security was configured for the POST method, but not for the OPTIONS. We changed it and now it works like a charm:

  <intercept-url pattern="/users" method="POST" access="ROLE_ANONYMOUS"/>
  <intercept-url pattern="/users" method="OPTIONS" access="ROLE_ANONYMOUS"/>

来源：https://stackoverflow.com/questions/29926503/angularjs-spring-security-with-role-anonymous-still-returns-401