Spring Security Logout不适用于Spring 4 CORS
最近我在 Spring 4 中尝试了新的内置 CORS-Support 。这个功能很棒,我想在我的 Spring Boot / AngularJS 应用程序中实现它。
Recently I tried the new built-in CORS-Support in Spring 4. This feature is great and I want to implement this in my Spring Boot / AngularJS application.
所有请求都正常但我无法注销我的用户,因为
OPTIONS
-Request to/ logout
由 Spring Security 处理。
All request works fine but I can't logout my user because the
OPTIONS
-Request to/logout
is handled by Spring Security.
是否可以在 Spring之前处理 OPTIONS
-Request安全性或者我应该在 LogoutSuccessHandler
中附加 CORS-Headers ?
Is it possible to handle the OPTIONS
-Request before Spring Security or should I attach CORS-Headers in LogoutSuccessHandler
?
使用Spring Security时,建议使用 CorsFilter 。您需要确保在Spring Security的 FilterChainProxy
之前订购 CorsFilter
。
When working with Spring Security, it is recommended to use CorsFilter. You will want to ensure that you order the CorsFilter
before Spring Security's FilterChainProxy
.
您可以参考 Spring Data Rest and Cors 有关使用 CorsFilter
的详细信息。对于此问题,您可能只希望注册注销URL。例如:
You can refer to Spring Data Rest and Cors for details on using CorsFilter
. For this issue, the difference is likely that you want to register only for the logout URL. For example:
@Bean
public CorsFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true); // you USUALLY want this
// likely you should limit this to specific origins
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.addAllowedMethod("GET");
config.addAllowedMethod("POST");
config.addAllowedMethod("PUT");
source.registerCorsConfiguration("/logout", config);
return new CorsFilter(source);
}