cors java 安全问题_解决spring security与corsFilter冲突的问题

最新推荐文章于 2024-06-11 09:48:54 发布
最新推荐文章于 2024-06-11 09:48:54 发布
阅读量712 收藏
点赞数 1
文章标签: cors java 安全问题
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_32515143/article/details/112923853
版权

在spring mvc项目中,使用了corsFilter进行跨域配置,相关代码如下:

@Bean

public FilterRegistrationBean corsFilter() {

FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();

filterRegistrationBean.setFilter(new CorsFilter(configSource()));

return filterRegistrationBean;

}

@Bean

public CorsConfigurationSource configSource() {

UrlBasedCorsConfigurationSource configSource = new UrlBasedCorsConfigurationSource();

configSource.registerCorsConfiguration("/**", corsConfig());

return configSource;

}

/**

* 跨域设置

*

* @return

*/

@Bean

public CorsConfiguration corsConfig() {

CorsConfiguration corsConfig = new CorsConfiguration();

List allowedHeaders = Arrays.asList("x-auth-token", "content-type", "X-Requested-With", "XMLHttpRequest");

List exposedHeaders = Arrays.asList("x-auth-token", "content-type", "X-Requested-With", "XMLHttpRequest");

List allowedMethods = Arrays.asList("POST", "GET", "DELETE", "PUT", "OPTIONS");

List allowedOrigins = Arrays.asList("*");

corsConfig.setAllowedHeaders(allowedHeaders);

corsConfig.setAllowedMethods(allowedMethods);

corsConfig.setAllowedOrigins(allowedOrigins);

corsConfig.setExposedHeaders(exposedHeaders);

corsConfig.setMaxAge(36000L);

corsConfig.setAllowCredentials(true);

return corsConfig;

}

该代码一直运行正常,直到引入spring security后,系统就跑不起来,报错如下:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain' defined in class path resource [org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is org.springframework.beans.factory.BeanNotOfRequiredTypeException: Bean named 'corsFilter' is expected to be of type 'org.springframework.web.filter.CorsFilter' but was actually of type 'org.springframework.boot.web.servlet.FilterRegistrationBean'

at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:599) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]

at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1173) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]

at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1067) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]

at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:513) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]

at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]

at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]

at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]

at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]

at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]

at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:296) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]

at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]

at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:761) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]

at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:867) ~[spring-context-4.3.13.RELEASE.jar:4.3.13.RELEASE]

at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:543) ~[spring-context-4.3.13.RELEASE.jar:4.3.13.RELEASE]

at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122) ~[spring-boot-1.5.9.RELEASE.jar:1.5.9.RELEASE]

at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:693) [spring-boot-1.5.9.RELEASE.jar:1.5.9.RELEASE]

at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:360) [spring-boot-1.5.9.RELEASE.jar:1.5.9.RELEASE]

at org.springframework.boot.SpringApplication.run(SpringApplication.java:303) [spring-boot-1.5.9.RELEASE.jar:1.5.9.RELEASE]

at org.springframework.boot.SpringApplication.run(SpringApplication.java:1118) [spring-boot-1.5.9.RELEASE.jar:1.5.9.RELEASE]

at org.springframework.boot.SpringApplication.run(SpringApplication.java:1107) [spring-boot-1.5.9.RELEASE.jar:1.5.9.RELEASE]

at com.meicloud.mp.mac.SysAuthApplication.main(SysAuthApplication.java:20) ~[classes/:na]

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.7.0_25]

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[na:1.7.0_25]

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_25]

at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_25]

at org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:49) ~[spring-boot-devtools-1.5.9.RELEASE.jar:1.5.9.RELEASE]

Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is org.springframework.beans.factory.BeanNotOfRequiredTypeException: Bean named 'corsFilter' is expected to be of type 'org.springframework.web.filter.CorsFilter' but was actually of type 'org.springframework.boot.web.servlet.FilterRegistrationBean'

at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:189) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]

at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:588) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]

... 25 common frames omitted

Caused by: org.springframework.beans.factory.BeanNotOfRequiredTypeException: Bean named 'corsFilter' is expected to be of type 'org.springframework.web.filter.CorsFilter' but was actually of type 'org.springframework.boot.web.servlet.FilterRegistrationBean'

at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:378) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]

at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]

at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1086) ~[spring-context-4.3.13.RELEASE.jar:4.3.13.RELEASE]

at org.springframework.security.config.annotation.web.configurers.CorsConfigurer.getCorsFilter(CorsConfigurer.java:82) ~[spring-security-config-4.2.3.RELEASE.jar:4.2.3.RELEASE]

at org.springframework.security.config.annotation.web.configurers.CorsConfigurer.configure(CorsConfigurer.java:65) ~[spring-security-config-4.2.3.RELEASE.jar:4.2.3.RELEASE]

at org.springframework.security.config.annotation.web.configurers.CorsConfigurer.configure(CorsConfigurer.java:38) ~[spring-security-config-4.2.3.RELEASE.jar:4.2.3.RELEASE]

at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.configure(AbstractConfiguredSecurityBuilder.java:384) ~[spring-security-config-4.2.3.RELEASE.jar:4.2.3.RELEASE]

at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:330) ~[spring-security-config-4.2.3.RELEASE.jar:4.2.3.RELEASE]

at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:41) ~[spring-security-config-4.2.3.RELEASE.jar:4.2.3.RELEASE]

at org.springframework.security.config.annotation.web.builders.WebSecurity.performBuild(WebSecurity.java:290) ~[spring-security-config-4.2.3.RELEASE.jar:4.2.3.RELEASE]

at org.springframework.security.config.annotation.web.builders.WebSecurity.performBuild(WebSecurity.java:77) ~[spring-security-config-4.2.3.RELEASE.jar:4.2.

经查,是CorsFilter与spring security有冲突

将原来的配置去掉,改成filter,如下:

@Component

@Order(Ordered.HIGHEST_PRECEDENCE)

public class AjaxCorsFilter extends CorsFilter {

public AjaxCorsFilter() {

super(configurationSource());

}

private static UrlBasedCorsConfigurationSource configurationSource() {

CorsConfiguration corsConfig = new CorsConfiguration();

List allowedHeaders = Arrays.asList("x-auth-token", "content-type", "X-Requested-With", "XMLHttpRequest");

List exposedHeaders = Arrays.asList("x-auth-token", "content-type", "X-Requested-With", "XMLHttpRequest");

List allowedMethods = Arrays.asList("POST", "GET", "DELETE", "PUT", "OPTIONS");

List allowedOrigins = Arrays.asList("*");

corsConfig.setAllowedHeaders(allowedHeaders);

corsConfig.setAllowedMethods(allowedMethods);

corsConfig.setAllowedOrigins(allowedOrigins);

corsConfig.setExposedHeaders(exposedHeaders);

corsConfig.setMaxAge(36000L);

corsConfig.setAllowCredentials(true);

UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();

source.registerCorsConfiguration("/**", corsConfig);

return source;

}

}

修改后,代码正常,过滤器能正常调用

黍篱
关注
  • 1
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
cors-filter-1.7.jar spring解决跨域问题 java
04-20
本篇将详细讲解如何利用Spring解决跨域问题,以及如何使用`cors-filter-1.7.jar`和`java-property-utils-1.9.1.jar`这两个库来辅助实现。 一、Spring解决跨域问题的基本原理 1. CORS定义:跨域是指浏览器遵循同源...
java服务器端解决跨域问题共6页.pdf.zip
10-28
Java服务器端解决跨域问题是一项常见的任务,尤其是在开发Web应用时。跨域是由于浏览器的安全策略,即同源策略(Same-Origin Policy)所引起的。同源策略限制了来自不同源的HTTP请求,防止恶意网站通过JavaScript...
SpringBoot在使用SpringSecurity时,配置跨域过滤器CorsFilter不生效分析解决
qq_43073162的博客
02-10 5950
且this类型为FilterRegistrationBean,进入FilterRegistrationBean的getFilter()方法,返回为this.filter,查找filter的赋值操作setFilter()查看CorsFilter类可以知道跨域逻辑主要在以下doFilterInternal()方法执行,在此方法添加断点,debug执行,发送请求时未执行此方法,由此判断CorsFilter未执行过滤逻辑。
SpringSecurity - 启动流程分析(九)- CorsFilter 过滤器
业精于勤荒于嬉
08-21 904
SpringSecurity - 启动流程分析(九)- CorsFilter 过滤器
关于Spring SecurityCORS
最新发布
寻码启示
06-11 1294
跨域请求,同源安全策略,报错No 'Access-Control-Allow-Origin' header is present on the requested resource,解决方法,处理方法。
解决spring securitycorsFilter冲突问题
Afox4l的博客
04-11 8264
问题: 在springboot项目中,使用了corsFilter进行跨域处理,相关代码配置如下: @Configuration public class MyConfiguration { @Bean public FilterRegistrationBean corsFilter() { UrlBasedCorsConfigurationSource source...
网关配置类
weixin_45873488的博客
08-27 191
网关配置类config配置类 config配置类 import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.reactive.CorsWebFilter; imp
springboot 解决跨域问题
PurineKing之博客
01-30 1871
springboot跨域
Java_Spring安全JWT角色常规CORS教程.zip
05-22
Java Spring 安全教程主要涉及了使用JSON Web Token (JWT)进行身份验证和授权,以及处理跨源资源共享(CORS)的常规方法。JWT是一种轻量级的身份验证机制,广泛应用于前后端分离的Web应用程序中。Spring框架提供了强大...
CORS算法.zip_CORS 寻优_algorithm_cors
09-24
它的核心思想是在解决约束优化问题时,通过随机生成的解来寻找满足约束条件的最优解。CORS算法的主要优点是计算量相对较小,适合处理具有复杂约束条件的优化问题。 在"AL_main.m"中,很可能是整个CORS算法的主程序...
由过滤器放行引出的,关于spring mvc与spring security的过滤器冲突问题
weixin_44512485的博客
03-13 150
此时如果再将此Filter Bean注入Spring Security的过滤器链的话,就造成了过滤器的重复执行,由此会导致很多的问题,比如过滤器的假放行。Spring MVC在IoC容器启动时会自动检查继承了Filter接口的Bean,并将它添加入Spring MVC的过滤器链。
跨域(CORS问题分析与解决方案
weixin_40222901的博客
10-16 2843
CORS问题分析与解决方案
CorsWebFilter解决跨域,OncePerRequestFilter实现登录校验
meser88的博客
04-29 2079
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.reactive.CorsWebFilter; import org.springframework..
同源策略与跨域问题解决
weixin_41109511的博客
11-25 215
同源策略与跨域问题解决 一、同源策略 同源指的是"三个相同" 协议相同 域名相同 端口相同 如果两个页面的协议,端口(如果有指定)和域名都相同,则两个页面具有相同的源。 举个例子: 下表给出了相对http://a.bbb.com/dir/page.html同源检测的示例: URL 结果 原因 http://a.bbb.com/dir2/other.ht...
SpringSecurity学习笔记(十一)CSRF攻击以及CORS跨域
怕什么真理无穷,进一寸有一寸的欢喜。即使开了一辆老掉牙的破车,只要在前行就好,偶尔吹点小风,这就是幸
10-09 1204
什么是CSRFCSRF:跨站请求伪造。也可称为一站式攻击。也可写作XSRF。按照字面意思来理解,跨站请求伪造,意思就是说用户登录了A网站之后,会话没有过期,然后登录了B网站,这个时候B网站中的请求访问了A网站,这个时候A网站就会认为是合法的用户的请求,这个时候用户是无感知的,从而导致用户在A网站的账户出现安全问题。特别是在一些银行之类的网站上如果受到这种攻击,造成的损失是致命的。CSRF防御。
Error creating bean with name报错
热门推荐
qq_43511320的博客
03-10 1万+
Error creating bean with name问题另解
springboot中注入FilterRegistrationBean不生效原因
凌大大的博客
04-02 4745
springboot中注入FilterRegistrationBean不生效原因 回顾   最近自定义了两个过滤器,接口请求返回加密和sql注入处理过滤器,因为在封装一些工具包,我在单独调好之后,就打算做成一个注解,像springboot启动类上加@EnableScheduling一样,可以随意控制,当我不想让这俩过滤器生效的时候,那就不加这个注解就可以了。   当然我想到了FilterRegistrationBean的使用方法,注入这两个过滤器。   但是当我写完之后,打成包之后,发现只有sql注入过滤器
Spring 50例常见错误(十二)
weixin_44513658的博客
06-19 498
Spring 50例常见错误 案例31-32,案例31:标注了 @WebFilter 过滤器无法简单注入;案例 32:Filter 中多次执行 doFilter()
springboot项目中使用filter无法注入bean采坑
loveForever_xiang的博客
09-24 9358
springboot项目中使用filter采坑1. 问题:使用@WebFilter无法注入bean2. springboot中创建filter方式1.1 @WebFilter注解1.2 使用FilterRegistrationBean方式1.3 使用DelegatingFilterProxyRegistrationBean方式1.4 将自定义Filter声明为bean,Spring初始化时自动...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值