对于最新的稳定版本,请使用 Spring Security 6.3.3! |
对于最新的稳定版本,请使用 Spring Security 6.3.3! |
Spring Framework 为 CORS 提供了一流的支持。
CORS 必须在 Spring Security 之前处理,因为飞行前请求不包含任何 cookie(即 )。
如果请求不包含任何 cookie,并且 Spring Security 是第一个,则请求将确定用户未经过身份验证(因为请求中没有 cookie)并拒绝它。JSESSIONID
确保首先处理 CORS 的最简单方法是使用 .
用户可以通过提供 .请注意,Spring Security 仅在存在实例时自动配置 CORS。
例如,以下内容将在 Spring Security 中集成 CORS 支持:CorsFilter
CorsFilter
CorsConfigurationSource
UrlBasedCorsConfigurationSource
-
Java
-
Kotlin
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
configuration.setAllowedMethods(Arrays.asList("GET","POST"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
@Bean
fun corsConfigurationSource(): CorsConfigurationSource {
val configuration = CorsConfiguration()
configuration.allowedOrigins = listOf("https://example.com")
configuration.allowedMethods = listOf("GET", "POST")
val source = UrlBasedCorsConfigurationSource()
source.registerCorsConfiguration("/**", configuration)
return source
}
下面的清单在 XML 中执行相同的操作:
<http>
<cors configuration-source-ref="corsSource"/>
...
</http>
<b:bean id="corsSource" class="org.springframework.web.cors.UrlBasedCorsConfigurationSource">
...
</b:bean>
如果使用 Spring MVC 的 CORS 支持,则可以省略指定,并且 Spring Security 使用提供给 Spring MVC 的 CORS 配置:CorsConfigurationSource
-
Java
-
Kotlin
@Configuration
@EnableWebSecurity
public class WebSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
// if Spring MVC is on classpath and no CorsConfigurationSource is provided,
// Spring Security will use CORS configuration provided to Spring MVC
.cors(withDefaults())
...
return http.build();
}
}
@Configuration
@EnableWebSecurity
open class WebSecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
// if Spring MVC is on classpath and no CorsConfigurationSource is provided,
// Spring Security will use CORS configuration provided to Spring MVC
cors { }
// ...
}
return http.build()
}
}
下面的清单在 XML 中执行相同的操作:
<http>
<!-- Default to Spring MVC's CORS configuration -->
<cors />
...
</http>
如果您有多个 bean,则 Spring Security 不会自动为您配置 CORS 支持,这是因为它无法决定使用哪一个。
如果要为每个 指定 different ,可以将其直接传递到 DSL 中。CorsConfigurationSource
CorsConfigurationSource
SecurityFilterChain
.cors()
-
Java
-
Kotlin
@Configuration
@EnableWebSecurity
public class WebSecurityConfig {
@Bean
@Order(0)
public SecurityFilterChain apiFilterChain(HttpSecurity http) throws Exception {
http
.securityMatcher("/api/**")
.cors((cors) -> cors
.configurationSource(apiConfigurationSource())
)
...
return http.build();
}
@Bean
@Order(1)
public SecurityFilterChain myOtherFilterChain(HttpSecurity http) throws Exception {
http
.cors((cors) -> cors
.configurationSource(myWebsiteConfigurationSource())
)
...
return http.build();
}
CorsConfigurationSource apiConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("https://api.example.com"));
configuration.setAllowedMethods(Arrays.asList("GET","POST"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
CorsConfigurationSource myWebsiteConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
configuration.setAllowedMethods(Arrays.asList("GET","POST"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
@Bean
fun corsConfigurationSource(): CorsConfigurationSource {
val configuration = CorsConfiguration()
configuration.allowedOrigins = listOf("https://example.com")
configuration.allowedMethods = listOf("GET", "POST")
val source = UrlBasedCorsConfigurationSource()
source.registerCorsConfiguration("/**", configuration)
return source
}