CORS

Spring Framework 提供了 對 CORS 的一流支援。CORS 必須在 Spring Security 之前處理,因為預檢請求不包含任何 cookie(即 JSESSIONID)。如果請求不包含任何 cookie,並且 Spring Security 首先處理,則請求會判定使用者未經身份驗證(因為請求中沒有 cookie)並拒絕該請求。

確保 CORS 首先被處理的最簡單方法是使用 CorsFilter。使用者可以透過提供一個 CorsConfigurationSourceCorsFilter 整合到 Spring Security 中。請注意,只有當存在 UrlBasedCorsConfigurationSource 例項時,Spring Security 才會自動配置 CORS。例如,以下程式碼將 CORS 支援整合到 Spring Security 中:

  • Java

  • Kotlin

@Bean
UrlBasedCorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
    configuration.setAllowedMethods(Arrays.asList("GET","POST"));
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}
@Bean
fun corsConfigurationSource(): UrlBasedCorsConfigurationSource {
    val configuration = CorsConfiguration()
    configuration.allowedOrigins = listOf("https://example.com")
    configuration.allowedMethods = listOf("GET", "POST")
    val source = UrlBasedCorsConfigurationSource()
    source.registerCorsConfiguration("/**", configuration)
    return source
}

以下清單在 XML 中執行相同操作:

<http>
	<cors configuration-source-ref="corsSource"/>
	...
</http>
<b:bean id="corsSource" class="org.springframework.web.cors.UrlBasedCorsConfigurationSource">
	...
</b:bean>

如果您使用 Spring MVC 的 CORS 支援,您可以省略指定 CorsConfigurationSource,Spring Security 將使用提供給 Spring MVC 的 CORS 配置。

  • Java

  • Kotlin

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

	@Bean
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		http
			// if Spring MVC is on classpath and no CorsConfigurationSource is provided,
			// Spring Security will use CORS configuration provided to Spring MVC
			.cors(withDefaults())
			...
		return http.build();
	}
}
@Configuration
@EnableWebSecurity
open class WebSecurityConfig {
    @Bean
    open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            // if Spring MVC is on classpath and no CorsConfigurationSource is provided,
            // Spring Security will use CORS configuration provided to Spring MVC
            cors { }
            // ...
        }
        return http.build()
    }
}

以下清單在 XML 中執行相同操作:

<http>
	<!-- Default to Spring MVC's CORS configuration -->
	<cors />
	...
</http>

如果您有多個 CorsConfigurationSource bean,Spring Security 不會自動為您配置 CORS 支援,因為它無法決定使用哪一個。如果您想為每個 SecurityFilterChain 指定不同的 CorsConfigurationSource,您可以將其直接傳遞給 .cors() DSL。

  • Java

  • Kotlin

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

	@Bean
	@Order(0)
	public SecurityFilterChain apiFilterChain(HttpSecurity http) throws Exception {
		http
			.securityMatcher("/api/**")
			.cors((cors) -> cors
				.configurationSource(apiConfigurationSource())
			)
			...
		return http.build();
	}

	@Bean
	@Order(1)
	public SecurityFilterChain myOtherFilterChain(HttpSecurity http) throws Exception {
		http
			.cors((cors) -> cors
				.configurationSource(myWebsiteConfigurationSource())
			)
			...
		return http.build();
	}

	UrlBasedCorsConfigurationSource apiConfigurationSource() {
		CorsConfiguration configuration = new CorsConfiguration();
		configuration.setAllowedOrigins(Arrays.asList("https://api.example.com"));
		configuration.setAllowedMethods(Arrays.asList("GET","POST"));
		UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
		source.registerCorsConfiguration("/**", configuration);
		return source;
	}

	UrlBasedCorsConfigurationSource myWebsiteConfigurationSource() {
		CorsConfiguration configuration = new CorsConfiguration();
		configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
		configuration.setAllowedMethods(Arrays.asList("GET","POST"));
		UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
		source.registerCorsConfiguration("/**", configuration);
		return source;
	}

}
@Bean
fun corsConfigurationSource(): UrlBasedCorsConfigurationSource {
    val configuration = CorsConfiguration()
    configuration.allowedOrigins = listOf("https://example.com")
    configuration.allowedMethods = listOf("GET", "POST")
    val source = UrlBasedCorsConfigurationSource()
    source.registerCorsConfiguration("/**", configuration)
    return source
}

CORS 是一種基於瀏覽器的安全功能。透過使用 .cors(CorsConfigurer::disable) 在 Spring Security 中停用 CORS,您並非從瀏覽器中移除了 CORS 保護。相反,您從 Spring Security 中移除了 CORS 支援,使用者將無法從跨源瀏覽器應用程式與您的 Spring 後端進行互動。要修復應用程式中的 CORS 錯誤,您必須啟用 CORS 支援,並提供適當的配置源。
© . This site is unofficial and not affiliated with VMware.