我用Auth0
我的用户身份验证的用户只允许登录访问一个Spring(引导)RestController
。在这一点上我创建一个实时信息功能,用户可以从发送邮件Angular 2
客户端(localhost:4200
)到春节服务器:使用(本地主机8081)stompjs
和sockjs
。
当试图创建一个践踏的客户端和我开始收到下面的控制台错误的连接:
The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://localhost:4200' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
研究这个问题后,它看起来是不可能的设置选项起源= *和凭证=在同一时间如此。我怎样才能解决这个时候我已经设置允许起源于WebSocketConfig到客户端领域?
角2成分
connect() {
var socket = new SockJS('http://localhost:8081/chat');
this.stompClient = Stomp.over(socket);
this.stompClient.connect({}, function(result) {
console.log('Connected: ' + result);
this.stompClient.subscribe('/topic/messages', function(message) {
console.log(message);
});
});
}
WebSocketConfig
@Configuration
@EnableWebSocketMessageBroker
public class WebSocketConfig extends AbstractWebSocketMessageBrokerConfigurer {
@Override
public void configureMessageBroker(MessageBrokerRegistry config) {
config.enableSimpleBroker("/topic");
config.setApplicationDestinationPrefixes("/app");
}
@Override
public void registerStompEndpoints(StompEndpointRegistry registry) {
registry.addEndpoint("/chat").setAllowedOrigins("http://localhost:4200").withSockJS();
}
}
本地主机:8081 /聊天/信息T = 1490866768565
{"entropy":-1720701276,"origins":["*:*"],"cookie_needed":true,"websocket":true}
MessageController
public class MessageController {
@MessageMapping("/chat")
@SendTo("/topic/messages")
public Message send(Message message) throws Exception {
return new Message(message.getFrom(), message.getText());
}
}
SecurityConfig(暂时允许所有)
public class SecurityConfig extends Auth0SecurityConfig {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().permitAll();
}
}
UPDATE
经过一些测试和研究似乎问题只使用Chrome发生。问题可能涉及:https://github.com/sockjs/sockjs-node/issues/177
UPDATE
我创建CORSFilter等chsdk提到和所使用的addFilterBefore()方法:https://stackoverflow.com/a/40300363/4836952。
@Bean
CORSFilter corsFilter() {
CORSFilter filter = new CORSFilter();
return filter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilterBefore(corsFilter(), SessionManagementFilter.class).authorizeRequests().anyRequest().permitAll();
http.csrf().disable();
}
我可以看到,滤波器是由调试,但错误信息不断出现在即使正确的访问控制允许来源被设置客户方叫:
问题:
您没有配置'Access-Control-Allow-Origin'
正确,您的当前配置可以简单地通过服务器忽略。
情况:
错误堆栈跟踪说:
所述的值
'Access-Control-Allow-Origin'
在响应头必须不是通配符'*'
时,请求的凭证模式为“包括”。原产地“ 的http://本地主机:4200 ”,因此是不允许的访问。
这意味着,除了事实,你不能设置'Access-Control-Allow-Origin'
为通配符"*"
,您的域名'http://localhost:4200'
是不允许访问过。
要回答你的问题:
我怎样才能解决这个时候我已经设置允许起源于WebSocketConfig到客户端领域?
解:
我猜你不需要设置允许起源于WebSocketConfig
,因为它意味着配置的WebSocket式的消息在Web应用程序中规定的WebSocket支持 Spring文档中,则需要对其进行配置,在CORSFilter
配置类,因为它的意思配置弹簧过滤器的Web应用程序的访问。
这是你需要在你的什么CORSFilter.java
配置类:
public class CORSFilter implements Filter {
// This is to be replaced with a list of domains allowed to access the server
//You can include more than one origin here
private final List<String> allowedOrigins = Arrays.asList("http://localhost:4200");
public void destroy() {
}
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
// Lets make sure that we are working with HTTP (that is, against HttpServletRequest and HttpServletResponse objects)
if (req instanceof HttpServletRequest && res instanceof HttpServletResponse) {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
// Access-Control-Allow-Origin
String origin = request.getHeader("Origin");
response.setHeader("Access-Control-Allow-Origin", allowedOrigins.contains(origin) ? origin : "");
response.setHeader("Vary", "Origin");
// Access-Control-Max-Age
response.setHeader("Access-Control-Max-Age", "3600");
// Access-Control-Allow-Credentials
response.setHeader("Access-Control-Allow-Credentials", "true");
// Access-Control-Allow-Methods
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
// Access-Control-Allow-Headers
response.setHeader("Access-Control-Allow-Headers",
"Origin, X-Requested-With, Content-Type, Accept, " + "X-CSRF-TOKEN");
}
chain.doFilter(req, res);
}
public void init(FilterConfig filterConfig) {
}
}
你可以看到使用:
private final List<String> allowedOrigins = Arrays.asList("http://localhost:4200");
要设置允许访问服务器的域列表。
参考文献:
您可能需要看一看在Spring框架CORS支持和启用跨源请求RESTful Web服务有关进一步阅读。
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句