我对AngularJS有疑问.当我从另一个域调用Rest服务时,授权标头不会发送请求,因此
Spring Security无法识别身份验证凭据.附上配置文件.
web.xml中
<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern>
<filter> <filter-name>cors</filter-name> <filter-class>com.axcessfinancial.web.filter.CorsFilter</filter-class>
<filter-mapping><filter-name>cors</filter-name><url-pattern>/*</url-pattern></filter-mapping>
上下文的security.xml
<http use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()" />
<http-basic/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
CorsFilter
protected void doFilterInternal(HttpServletRequest request,HttpServletResponse response,FilterChain filterChain)
throws ServletException,IOException {
response.addHeader("Access-Control-Allow-Origin","*");
if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) {
response.addHeader("Access-Control-Allow-Methods","GET,POST,PUT,DELETE");
response.addHeader("Access-Control-Allow-Headers","Authorization,Accept,Content-Type,X-PINGOTHER");
response.addHeader("Access-Control-Max-Age","1728000");
}
filterChain.doFilter(request,response);
}
app.js
var app = angular.module('app',['app.controller','app.services']);
app.config(function($httpProvider) {
$httpProvider.defaults.useXDomain = true;
delete $httpProvider.defaults.headers.common['X-Requested-With'];
/* $httpProvider.defaults.headers.common['Authorization'] = 'Basic YWRtaW46YWRtaW4='; */
});
service.js
angular.module('app.services',[]).service('Service',function ($http,$q,UtilHttp) {
$http.defaults.headers.common = {"Access-Control-Request-Headers": "accept,origin,authorization"};
$http.defaults.headers.common['Authorization'] = 'Basic YWRtaW46YWRtaW4=';
return {
listCutomer: function(){
var defer=$q.defer();
$http.post('http://localhost:8088/rest-template/soa/listCustomer',{withCredentials: true})
.success(function(data){
defer.resolve(data);
})
.error(function(data){
defer.reject(data);
});
return defer.promise;
}
};
});
问题:
Response Headersview source Content-Length 1134 Content-Type text/html;charset=utf-8 Date Wed,21 May 2014 14:39:44 GMT Server Apache-Coyote/1.1 Set-Cookie JSESSIONID=5CD90453C2CD57CE111F45B0FBCB0301; Path=/rest-template WWW-Authenticate Basic realm="Spring Security Application" Request Headers Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding gzip,deflate Accept-Language en-US,en;q=0.5 Access-Control-Request-He... authorization,content-type Access-Control-Request-Me... POST Cache-Control no-cache Connection keep-alive Host localhost:8088 Origin null Pragma no-cache User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
解决方法
我认为您的问题如下:
什么时候
>使用除GET或POST之外的HTTP动词
>需要发送自定义标头(例如,身份验证,X-API-Key等)
> need请求正文具有除text / plain之外的MIME类型
您的浏览器(遵循CORS规范)为请求添加了额外的步骤:
如果服务器响应批准您希望实际请求将启动的实际请求,它首先会向URL发送带有“OPTIONS”方法的特定请求.
不幸的是,在你的场景中,spring返回401(未授权)到OPTIONS请求,因为此请求中不存在auth令牌,因此你的真实请求永远不会启动
解:
你可以把你的cors过滤到web.xml中的spring安全过滤器之前,如果请求方法是OPTIONS,则避免调用链中的下一个过滤器(spring security)
这个exaple过滤器适合我:
public class SimpleCORSFilter implements Filter {
public void doFilter(ServletRequest req,ServletResponse res,FilterChain chain) throws IOException,ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Credentials","true");
response.setHeader("Access-Control-Allow-Origin","*");
response.setHeader("Access-Control-Allow-Methods","POST,GET,DELETE,OPTIONS");
response.setHeader("Access-Control-Max-Age","3600");
response.setHeader("Access-Control-Allow-Headers","Origin,X-Requested-With,Authorization");
if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
response.setStatus(HttpServletResponse.SC_OK);
} else {
chain.doFilter(req,res);
}
}
public void init(FilterConfig filterConfig) {
}
public void destroy() {
}
}
记得在web.xml中的spring安全过滤器之前声明你的cors过滤器
