Spring安全oauth2 cors过滤器不工作

Question

我的spring配置部署在Tomcat服务器上。

@Configuration
@EnableWebMvc
public class WebConfig extends WebMvcConfigurerAdapter {

    @Override
    public void addCorsMappings(CorsRegistry registry) {
            registry.addMapping("/**")
                .allowedOrigins("*")
                .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
                .allowedHeaders("Json-View","X-PINGOTHER","Content-Type","X-Requested-With","Accept","Origin",
                "Access-Control-Request-Method","Access-Control-Request-Headers","Authorization")
                .allowCredentials(false) //or true
                .maxAge(3600);
    }
}

对于我的api的所有请求，服务器返回‘访问-控制-允许-原产地’头，所有工作。但是，对地址'/oauth/token‘的授权请求存在问题，授权被触发，但客户端无法读取答案，原因是“请求的资源上存在”无访问-控制-允许-源“报头”。这可能是Spring框架的配置问题。

GENERAL

Request URL: http://localhost:8080/oauth/token
Request Method: POST
Status Code: 200 
Remote Address: [::1]:8080
Referrer Policy: no-referrer-when-downgrade

RESPONSE HEADERS

Cache-Control: no-store
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: application/json;charset=UTF-8
Date: Tue, 10 Apr 2018 17:20:34 GMT
Expires: 0
Pragma: no-cache
Pragma: no-cache
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

REQUEST HEADERS

Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: ru,en-US;q=0.9,en;q=0.8
Connection: keep-alive
Content-Length: 85
Content-Type: application/x-www-form-urlencoded
Host: localhost:8080
Origin: http://localhost:8081
Referer: http://localhost:8081/
Save-Data: on
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

FORM DATA

username: user
password: qwe
grant_type: password
client_id: web
client_secret: web

Chrome控制台错误：

Failed to load http://localhost:8080/oauth/token: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8081' is therefore not allowed access.

这里怎么了？为什么Spring安全不返回'/oauth/token‘请求的“访问-控制-允许-原产地”请求？春季版本5.0.4，是目前最新的版本。

Answer 1

我在url地址/oauth/token上找到的唯一解决方案是在onStartup覆盖AbstractAnnotationConfigDispatcherServletInitializer的方法中注册自定义过滤器，因此，在安全过滤器之前注册过滤器是可能的。

override fun onStartup(servletContext: ServletContext) {
    super.onStartup(servletContext)
    val corsFilterReg = servletContext.addFilter("CORSFilter", CORSFilter.class)
    corsFilterReg.addMappingForUrlPatterns(null, false, "/*")
}

和CORSFilter

public class CORSFilter extends OncePerRequestFilter {

   protected void doFilterInternal(HttpServletRequest req, HttpServletResponse res, FilterChain chain) {
      if (path == "/oauth/token") {
        res.addHeader("Access-Control-Allow-Origin", "*");
        res.addHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
        res.addHeader("Access-Control-Max-Age", "3600");
        res.addHeader("Access-Control-Allow-Headers", "X-PINGOTHER,Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization");
        if (req.getMethod().equal(HttpMethod.OPTIONS.name())) {
           res.setStatus(HttpServletResponse.SC_OK);
        } else {
           chain.doFilter((ServletRequest)req, (ServletResponse)res);
        }
     } else {
        chain.doFilter((ServletRequest)req, (ServletResponse)res);
     }
   }
}

本例作为addCorsMappings的补充，或类似的标准方法，用于在Spring、http.cors()等应用程序中包含CORS。