CORS(跨域资源共享)

Spring Framework 提供了一流的 CORS 支持。 CORS 必须在 Spring Security 之前进行处理,因为预检请求(pre-flight request)不包含任何 Cookie(即 JSESSIONID)。 如果请求中不包含任何 Cookie,并且 Spring Security 先执行,则该请求会被判定为用户未认证(因为请求中没有 Cookie),从而被拒绝。spring-doc.cadn.net.cn

确保 CORS 请求首先被处理的最简单方法是使用 CorsFilter。 用户可以通过提供一个 CorsFilterCorsConfigurationSource 与 Spring Security 集成。请注意,只有当存在 UrlBasedCorsConfigurationSource 实例时,Spring Security 才会自动配置 CORS。 例如,以下代码将在 Spring Security 中集成 CORS 支持:spring-doc.cadn.net.cn

@Bean
UrlBasedCorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
    configuration.setAllowedMethods(Arrays.asList("GET","POST"));
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}
@Bean
fun corsConfigurationSource(): UrlBasedCorsConfigurationSource {
    val configuration = CorsConfiguration()
    configuration.allowedOrigins = listOf("https://example.com")
    configuration.allowedMethods = listOf("GET", "POST")
    val source = UrlBasedCorsConfigurationSource()
    source.registerCorsConfiguration("/**", configuration)
    return source
}

The following listing does the same thing in XML:spring-doc.cadn.net.cn

<http>
	<cors configuration-source-ref="corsSource"/>
	...
</http>
<b:bean id="corsSource" class="org.springframework.web.cors.UrlBasedCorsConfigurationSource">
	...
</b:bean>

如果使用了Spring MVC的CORS支持,您可以省略指定CorsConfigurationSource,Spring Security将会使用提供给Spring MVC的CORS配置。spring-doc.cadn.net.cn

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

	@Bean
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		http
			// if Spring MVC is on classpath and no CorsConfigurationSource is provided,
			// Spring Security will use CORS configuration provided to Spring MVC
			.cors(withDefaults())
			...
		return http.build();
	}
}
@Configuration
@EnableWebSecurity
open class WebSecurityConfig {
    @Bean
    open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            // if Spring MVC is on classpath and no CorsConfigurationSource is provided,
            // Spring Security will use CORS configuration provided to Spring MVC
            cors { }
            // ...
        }
        return http.build()
    }
}

The following listing does the same thing in XML:spring-doc.cadn.net.cn

<http>
	<!-- Default to Spring MVC's CORS configuration -->
	<cors />
	...
</http>

如果您的应用程序中有多个CorsConfigurationSource bean,Spring Security 将不会自动为您配置 CORS 支持,因为无法决定使用哪一个。 如果您希望为每个 CorsConfigurationSource 指定不同的 SecurityFilterChain,可以将它直接传递给.cors() DSL。spring-doc.cadn.net.cn

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

	@Bean
	@Order(0)
	public SecurityFilterChain apiFilterChain(HttpSecurity http) throws Exception {
		http
			.securityMatcher("/api/**")
			.cors((cors) -> cors
				.configurationSource(apiConfigurationSource())
			)
			...
		return http.build();
	}

	@Bean
	@Order(1)
	public SecurityFilterChain myOtherFilterChain(HttpSecurity http) throws Exception {
		http
			.cors((cors) -> cors
				.configurationSource(myWebsiteConfigurationSource())
			)
			...
		return http.build();
	}

	UrlBasedCorsConfigurationSource apiConfigurationSource() {
		CorsConfiguration configuration = new CorsConfiguration();
		configuration.setAllowedOrigins(Arrays.asList("https://api.example.com"));
		configuration.setAllowedMethods(Arrays.asList("GET","POST"));
		UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
		source.registerCorsConfiguration("/**", configuration);
		return source;
	}

	UrlBasedCorsConfigurationSource myWebsiteConfigurationSource() {
		CorsConfiguration configuration = new CorsConfiguration();
		configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
		configuration.setAllowedMethods(Arrays.asList("GET","POST"));
		UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
		source.registerCorsConfiguration("/**", configuration);
		return source;
	}

}
@Bean
fun corsConfigurationSource(): UrlBasedCorsConfigurationSource {
    val configuration = CorsConfiguration()
    configuration.allowedOrigins = listOf("https://example.com")
    configuration.allowedMethods = listOf("GET", "POST")
    val source = UrlBasedCorsConfigurationSource()
    source.registerCorsConfiguration("/**", configuration)
    return source
}

CORS 是浏览器的一项安全特性。 通过在 Spring Security 中使用 .cors(CorsConfigurer::disable) 禁用 CORS,您并没有移除浏览器中的 CORS 保护。 相反,您是移除了 Spring Security 对 CORS 的支持,用户将无法从跨域的浏览器应用程序与您的 Spring 后端进行交互。 要解决应用中的 CORS 错误,您必须启用 CORS 支持,并提供一个合适的配置源。spring-doc.cadn.net.cn