个人中心
文章发布
退出
作者热门文章
- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
24
4
在我的演示应用程序中,我遇到了一个问题,即我没有收到从 Angular 客户端添加到我的 Spring 引导服务器的请求 header 。作为安全措施,我有 SSL(安全套接字层)和 CORS(跨源资源共享)配置。在我的应用程序中,CSRF(跨站点请求伪造)被禁用。我使用JWT(JSON Wen Token)作为每个请求的用户认证机制。这就是我需要从 header 中提取 JWT key 的地方。我将从我的应用程序中添加代码示例,请帮助我找出问题。
Angular 拦截器
import { Injectable } from '@angular/core';
import { HttpEvent, HttpInterceptor, HttpResponse, HttpHandler, HttpRequest, HttpHeaders } from '@angular/common/http';
import { UserService } from './user.service';
import { Observable } from 'rxjs';
/*Interceptor
Often you’ll want to intercept HTTP requests or responses before they’re handled else where in the application*/
@Injectable({
providedIn: 'root'
})
export class InterceptorService implements HttpInterceptor {
/**
* Constructor of InterceptorService.
* @param userService UserService
*/
constructor(private userService: UserService) { }
/**
* Responsible for intercepting requests.
* Responsible for adding 'Authorization' header with JWT (Json Web Token).
* @param theRequest HttpRequest<any>
* @param handler HttpHandler
*/
intercept(theRequest: HttpRequest<any>, handler: HttpHandler): Observable<HttpEvent<any>> {
debugger;
const jwtKey = this.userService.getJwtString();
const authReq = theRequest.clone({
headers: new HttpHeaders({
'Content-Type': 'application/json',
'Authorization': `Bearer ${jwtKey}`
})
});
console.log('Intercepted HTTP call', authReq);
return handler.handle(authReq);
}
}
Angular 用户服务
import { Injectable } from '@angular/core';
import { HttpClient, HttpHeaders, HttpParams } from '@angular/common/http';
import { Router } from '@angular/router';
import { AuthenticationConfigurationService } from './authentication-configuration.service';
import { User, AuthenticationResponse } from './data';
//Service for users
@Injectable({
providedIn: 'root'
})
export class UserService {
//Attributes
private jwtString: string = ''; //JWT (Jason Web Token)
private isUserLoggedIn = false;
/**
* Constructor of UserService.
* @param router Router
* @param httpClient HttpClient
*/
constructor(private router: Router, private httpClient: HttpClient) { }
/**
* Executes upon user login.
* @param theUser User
*/
login(theUser: User) {
const httpOptions = { headers: new HttpHeaders({ 'Content-Type': 'application/json' }) };
this.httpClient.post(AuthenticationConfigurationService.getAuthenticationURL('authenticationURL') + '/getjwt', theUser, httpOptions)
.subscribe((response: AuthenticationResponse) => {
this.jwtString = response.jwt;
this.isUserLoggedIn = true;
});
}
/**
* Executes upon user logout.
*/
logout() {;
this.isUserLoggedIn = false;
this.jwtString = '';
this.navigateToLoginPage();
}
/**
* Responsible for returning the JWT (Json Web Token) string.
* @returns string
*/
getJwtString(): string {
return this.jwtString;
}
/**
* Responsible for returning whether the user is logged-in.
* @returns boolean
*/
userLoggedIn(): boolean {
return this.isUserLoggedIn;
}
/**
* Navigate to the login page.
*/
private navigateToLoginPage() {
this.router.navigateByUrl('/login');
}
}
Spring Boot 安全性
package com.example.LibraryServer.Security;
import com.example.LibraryServer.Filter.Security.JwtRequestFilter;
import com.example.LibraryServer.Services.LibraryUserDetailsService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import java.util.Arrays;
/**
* Class responsible for security configurations.
*/
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//Attributes
private final LibraryUserDetailsService libraryUserDetailsService;
private final JwtRequestFilter jwtRequestFilter;
/**
* Constructor of SecurityConfig.
* @param theLibraryUserDetailsService LibraryUserDetailsService
* @param theJwtRequestFilter JwtRequestFilter
*/
@Autowired
public SecurityConfig(LibraryUserDetailsService theLibraryUserDetailsService, JwtRequestFilter theJwtRequestFilter) {
this.libraryUserDetailsService = theLibraryUserDetailsService;
this.jwtRequestFilter = theJwtRequestFilter;
}
/**
* Responsible for user security configuration.
* Overridden from WebSecurityConfigurerAdapter level.
* @param theHttpSecurity HttpSecurity
* @throws Exception - Exception upon security configuration.
*/
@Override
protected void configure(HttpSecurity theHttpSecurity) throws Exception {
//theHttpSecurity.authorizeRequests()
//.antMatchers("/**").access("permitAll") //Allow all paths
/*.and().cors()*/
//.and().csrf().disable(); //Allow all requests - CSRF (Cross-Site Request Forgery)
theHttpSecurity.csrf().disable() //Allow all requests - CSRF (Cross-Site Request Forgery)
.authorizeRequests().antMatchers("/authenticate/**").access("permitAll") //Allow all paths
.anyRequest().authenticated() //All other paths need authentication
/*Inform spring security not to manage sessions.
All requests will be filtered via 'JwtRequestFilter' with JWT and does not need sessions.*/
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
//Inform spring security about the filter 'JwtRequestFilter' for username and password authentication.
theHttpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}
/**
* Responsible for configuring user-store.
* Overridden from WebSecurityConfigurerAdapter level.
* @param theAuthentication AuthenticationManagerBuilder
* @throws Exception - Exception upon user store creation.
*/
@Override
public void configure(AuthenticationManagerBuilder theAuthentication) throws Exception {
//theAuthentication.inMemoryAuthentication()
//.withUser("sankalpa")
//.password("{noop}123")
//.authorities("ROLE_USER");
theAuthentication.userDetailsService(libraryUserDetailsService);
}
/**
* Method constructing AuthenticationManager bean.
* This method is needed since AuthenticationManager is being used in 'HelloController'.
* Therefore this bean should be in spring application context.
* Overridden from WebSecurityConfigurerAdapter level.
* @return AuthenticationManager
* @throws Exception - Exception upon execution.
*/
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
/**
* Method constructing a password encoder bean.
* Constructs 'NoOpPasswordEncoder'.
* @return PasswordEncoder
*/
@Bean
public PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
}
Spring boot CORS配置类
package com.example.LibraryServer.CORS;
import org.jetbrains.annotations.NotNull;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
/**
* Configuration class which is responsible for handling CORS.
* Cross-Origin Resource Sharing (CORS) configuration class.
*/
@Configuration
public class CorsConfiguration implements WebMvcConfigurer {
/**
* Responsible for CORS mapping.
* Overridden from WebMvcConfigurer level.
* @param theRegistry CorsRegistry
*/
@Override
public void addCorsMappings(@NotNull CorsRegistry theRegistry) {
//End points
var authorizedEndpoints = new String[] {
"/book/**",
"/author/**",
"/authenticate/**"
};
//Add mapping
for (var endPoint : authorizedEndpoints) {
theRegistry.addMapping(endPoint)
.allowedOrigins("http://localhost:4200")
.allowedMethods("*") //"HEAD", "GET", "PUT", "POST", "DELETE", "PATCH"
.allowedHeaders("*")
.allowCredentials(true)
.exposedHeaders("Authorization");
}
}
}
Spring 启动过滤器
package com.example.LibraryServer.Filter.Security;
import com.example.LibraryServer.Services.LibraryUserDetailsService;
import com.example.LibraryServer.Uilities.JsonWebTokenUtility;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* Filter class for intercepting all the requests and validate with JWT (Jason Web Token).
*/
@Slf4j
@Component
public class JwtRequestFilter extends OncePerRequestFilter {
//Attributes
private final LibraryUserDetailsService libraryUserDetailsService;
private final JsonWebTokenUtility jsonWebTokenUtility;
/**
* Constructor of JwtRequestFilter.
* @param theLibraryUserDetailsService LibraryUserDetailsService
* @param theJsonWebTokenUtility JsonWebTokenUtility
*/
@Autowired
public JwtRequestFilter(LibraryUserDetailsService theLibraryUserDetailsService, JsonWebTokenUtility theJsonWebTokenUtility) {
this.libraryUserDetailsService = theLibraryUserDetailsService;
this.jsonWebTokenUtility = theJsonWebTokenUtility;
}
/**
* Responsible for intercepting the request via filter and do the validations and needful with JWT.
* Overridden from OncePerRequestFilter level.
* @param theRequest HttpServletRequest
* @param theResponse HttpServletResponse
* @param theChain FilterChain
* @throws ServletException - Exception upon execution.
* @throws IOException - Exception upon execution.
*/
@Override
protected void doFilterInternal(HttpServletRequest theRequest, HttpServletResponse theResponse, FilterChain theChain)
throws ServletException, IOException {
printLog("doFilterInternal() -> Executed");
//Get the 'Authorization' from the request header. JWT is suppose to send in request header under 'Authorization'.
final String authorizationHeader = theRequest.getHeader("Authorization");
//Method local attributes
String username = null;
String jwt = null;
//Get the JWT String and username out from 'authorizationHeader'
if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
printLog("doFilterInternal() -> Extracting the JWT token from the authorization header");
jwt = authorizationHeader.substring(7);
username = jsonWebTokenUtility.extractUserName(jwt);
}
if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
printLog("doFilterInternal() -> User name found: " + username + " and there is no current logged-in user");
//If the username is not null and there is no current user authenticated
//Get the user from user details service
UserDetails userDetails = this.libraryUserDetailsService.loadUserByUsername(username);
if (jsonWebTokenUtility.validateToken(jwt, userDetails)) {
printLog("doFilterInternal() -> Load user for the username: " + userDetails.getUsername() +
" and validated the JWT successfully");
//Validating user with the JWT String is successful
//Create token
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken =
new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
printLog("doFilterInternal() -> Created 'UsernamePasswordAuthenticationToken'");
//Set the information to the token
usernamePasswordAuthenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(theRequest));
printLog("doFilterInternal() -> Set details to the 'UsernamePasswordAuthenticationToken'");
//Set the authorized user to the context
SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
printLog("doFilterInternal() -> Set 'UsernamePasswordAuthenticationToken' to the 'SecurityContextHolder'");
}
}
//Continue the chain
printLog("doFilterInternal() -> Continue the chain...");
theChain.doFilter(theRequest, theResponse);
}
/**
* Responsible for printing main log messages to the console.
* @param theLogMessage String
*/
private void printLog(String theLogMessage) {
log.info("JwtRequestFilter: " + theLogMessage);
}
}
在上面的过滤器中,我想从 header 中获取“授权”,但请求根本没有 header 。当我通过 postman 做同样的事情时,它工作得很好。当我通过 Angular 客户端执行此操作时会发生这种情况。
调试 
最佳答案
遇到了同样的问题。在我的例子中,我在预检调用中遇到了 cors 错误。如下添加 http.cors() 解决了我的问题。
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.headers().cacheControl();
http.csrf().disable()
.authorizeRequests()
.....;
http.cors();
}
}
关于java - Spring boot 不接收从 Angular 客户端添加的请求 header ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/68205837/
24
4
0
我正在尝试在项目中学习和添加 Angular 国际化。我只能理解 Angular 文档 (https://angular.io/guide/i18n-overview) 的编译时翻译。 我需要这样的东
在我的 Angular 应用程序中,基于登录用户,我想通过显示/隐藏不同的菜单项或允许/禁止某些路由来授予或限制功能。 目前成功登录后,我的 .NET Core API 会返回一个 JWT token
我是 Angular 的新手,目前我已经看过 angular.io 网站提供的一些示例。但是在component decorator在文档中的解释,它指出 Angular components are
这里是service employee-service.service.ts的代码 import { Injectable } from '@angular/core'; import { HttpC
我目前正在使用@angular/http URLSearchParams 类来检索 URL 参数。在 Angular 5 中,注意到这已被弃用,但我没有看到以我当前使用的方式替换 URLSearchP
我目前正在使用@angular/http URLSearchParams 类来检索 URL 参数。在 Angular 5 中,注意到这已被弃用,但我没有看到以我当前使用的方式替换 URLSearchP
如何正确安装 PUG/JADE 到 Angular 2 或更高版本 这样在工作和 AOT 和 JiT 的同时 工作单元和集成测试 并且在创建每个新组件时不会受到太多影响 最佳答案 我看到了很多解决方案
我的 Angular 12 应用程序中有一些通用组件,我计划将其创建为一个 Angular 库,以便其他应用程序也可以使用它。我们有一些应用程序在较低版本的 angular(例如 angular 8/
tl;dr; ng build 删除了包含我编译的自定义库的/dist 文件夹。这会使我项目代码中对该库的所有引用无效,从而导致 ng build 最终失败。我做错了什么? 我关注了documenta
我正在将一些“遗留”(非 typescript )js 库导入到我的 Angular SPA 中。 通常我只是从 cdn 添加一个负载到 index.html 就像: 在 Angular 分量中我只
我有这个 angular 应用程序,它基本上使用了库的概念。 我有 2 个名为 的库Lib1 和 lib2 根据他们所服务的微服务分组。 现在我将这些库导入主应用程序,即 应用1 事情一直到现在。 现
我在我的项目中启用了 angular Universal。我现在想完全删除它。我试图删除以下文件 /server.ts /webpack.server.config.js /src/tsconfig.
我已经有一个 AuthService 在登录时对用户进行身份验证,并且 AuthGuard 在未登录的情况下阻止访问。 某些页面我通过 UserProfile/Role 限制访问,但现在我需要阻止页面
我正在尝试使用 angular、TypeORM、SQLite 和其他组件作为 webpack 构建 Electron 应用程序。 我从在 GitHub 上找到的示例开始我的开发:https://git
我在从 Angular 8 更新到 9 并运行时遇到以下错误 ng 更新@angular/material: Package "@angular/flex-layout" has an incompa
我正在尝试使用 Angular 9,我想创建一个项目,然后创建一个库项目并开始向其中添加我想稍后在 GitHub 上发布的通用模块,并在我的本地使用这些库项目。 相关依赖如下: Angular CLI
我正在尝试使用 Angular 9,我想创建一个项目,然后创建一个库项目并开始向其中添加我想稍后在 GitHub 上发布的通用模块,并在我的本地使用这些库项目。 相关依赖如下: Angular CLI
我正在我的 h1 元素“之前”创建一个小的程式化三 Angular 形图案,但我无法正确地圆 Angular 。右上角没问题,但其他两个有剪裁问题。 这是输出以及形状的放大图像: 使用的代码如下: h
我有一个 Angular 元素,带有自定义标记名 - fancy-button。如何将 fancy-button 嵌入 Angular 应用程序? 我已经尝试了以下方法,但都没有用 - 在 index
我已将我的项目从 angular 5.2.9 升级到 angular 6.0.0-rc.5。 除了包路径中的几个快速 RxJS 修复外,一切看起来都不错。(此链接非常有用:Want to upgrad
我是一名优秀的程序员,十分优秀!