angular 2，支持spring-boot安全rest api

Question

因为我想解耦工作，所以我把REST部署在Tomcat上(本地主机:8084，使用上下文路径app-api)，前端部署在angular cli上(本地主机:4200)。

我的问题是，当我登录然后调用其他api，但结果是401。登录成功后，JSessionId不会保留并在第二个请求的头部中发送。

这是我的bean配置：

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                    http://www.springframework.org/schema/beans/spring-beans.xsd
                    http://www.springframework.org/schema/security
                    http://www.springframework.org/schema/security/spring-security.xsd">
    <global-method-security />

    <beans:bean id="failureHandler" class="my.app.auth.RESTAuthenticationFailureHandler"></beans:bean>
    <beans:bean id="successHandler" class="my.app.auth.RESTAuthenticationSuccessHandler"></beans:bean>
    <beans:bean id="loginUrlAuthenticationEntryPoint" class="my.app.auth.RESTAuthenticationEntryPoint"></beans:bean>

    <beans:bean id="loginPathRequestMatcher" class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
        <beans:constructor-arg type="java.lang.String" value="/login" />
    </beans:bean> 

    <beans:bean id="customUsernamePasswordAuthenticationFilter"
        class="my.app.auth.AuthenticationFilter">
        <beans:constructor-arg ref="loginPathRequestMatcher"/>
        <beans:constructor-arg ref="environment"/>
        <beans:constructor-arg ref="httpClient"/>

        <beans:property name="authenticationManager" ref="authenticationManager" />
        <beans:property name="sessionAuthenticationStrategy" ref="session-management" />
        <beans:property name="authenticationFailureHandler" ref="failureHandler" />
        <beans:property name="authenticationSuccessHandler" ref="successHandler" />
    </beans:bean>

    <http auto-config="false" use-expressions="true"
        disable-url-rewriting="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
        <csrf disabled="true" />
        <custom-filter position="FORM_LOGIN_FILTER"
            ref="customUsernamePasswordAuthenticationFilter" />
        <custom-filter after="FORM_LOGIN_FILTER" ref="concurrencyFilter" />

        <intercept-url pattern="/login" access="permitAll" />
        <intercept-url pattern="/" access="permitAll" />

        <intercept-url pattern="/api/**" access="hasAnyRole('ROLE_USER')" />

        <logout logout-success-url="/login" />

        <headers>
            <frame-options policy="SAMEORIGIN" />
            <hsts include-subdomains="true" disabled="false" />
            <header name="Access-Control-Allow-Origin" value="*"/>
            <header name="Access-Control-Allow-Methods" value="POST, GET, OPTIONS, DELETE"/>
            <header name="Access-Control-Max-Age" value="3600"/>
            <header name="Access-Control-Allow-Headers" value="x-requested-with, authorization, Content-Type, *"/>
        </headers>

        <session-management
            session-authentication-strategy-ref="session-management" />
    </http>

    <beans:bean id="concurrencyFilter"
        class="my.app.auth.ConcurrentSessionFilter">
        <beans:constructor-arg ref="sessionRegistry" />
        <beans:constructor-arg name="expiredUrl" value="/" />
    </beans:bean>

    <beans:bean id="sessionRegistry" class="my.app.auth.SessionRegistry" />

    <beans:bean id="session-management"
        class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
        <beans:constructor-arg>
            <beans:list>
                <beans:bean
                    class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
                    <beans:constructor-arg ref="sessionRegistry" />
                </beans:bean>
                <beans:bean
                    class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy" />
                <beans:bean
                    class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
                    <beans:constructor-arg ref="sessionRegistry" />
                </beans:bean>
            </beans:list>
        </beans:constructor-arg>
    </beans:bean>

    <authentication-manager alias="authenticationManager">
        <authentication-provider ref="customAuthenticationProvider" />
    </authentication-manager>

    <beans:bean id="customAuthenticationProvider" class="my.app.auth.UserAuthProvider" />

    <beans:bean id="authenticationService" class="my.app.auth.AuthenticationService" />
</beans:beans>

​

​

我提到了angular2-spring-boot-security主题，但是我不能解决我的问题，或者我还不了解这个解决方案。

对我的问题有什么建议吗？或者和我讨论？谢谢。

Answer 1

谢谢大家。我通过精确声明Access-Control-Allow-Origin解决了我的问题。在config spring中使用withCredentials，在angular 2中使用http：

        <header name="Access-Control-Allow-Origin" value="http://localhost:4200"/>
        <header name="withCredentials" value="true"/>
        <header name="Access-Control-Allow-Methods" value="GET, POST, OPTIONS, PUT, PATCH, DELETE"/>
        <header name="Access-Control-Max-Age" value="3600"/>
        <header name="Access-Control-Allow-Headers" value="*"/>
        <header name="Access-Control-Allow-Credentials" value="true"/>

并在组件的构造函数中添加http config：

constructor(private http: Http) {
    let _build = (<any>http)._backend._browserXHR.build;
    (<any>http)._backend._browserXHR.build = () => {
      let _xhr = _build();
      _xhr.withCredentials = true;
      return _xhr;
    };
  }

它可以很好地处理Get方法请求。但是现在我对Post方法的请求有了很大的问题。当我将Content-Type添加到头中时，请求不会从cookie中导入JSESSIONID，但是如果我不添加Content-Type，我会得到关于服务器的错误媒体类型的错误代码415。

我尝试过angular 2和XMLHttpRequest的Http。这是怎么回事？