如何解决Angular XSRF控制器响应为null
我不太确定如何进一步调试此问题。我已经根据网上发现的内容为Web服务和表示层实现了模板。话虽如此,该实施未按预期工作。我要做的就是将登录凭据发送到后端,该后端将使用该凭据并将数据保存到数据库中。现在,尽管它从未到达控制器,但仍然到达Spring Security的过滤器,但我得到的响应为null。如果我没有将Spring Security软件包加载到应用程序中,那么所有功能都将按预期工作。我很困惑为什么我得到一个无效的答复。我的过滤器中没有一个返回空值。我怀疑它来自Spring Security,但错误未登录控制台以提供帮助。
技术堆栈:
表示层:Angular 8
Web服务:Spring Boot
演示层
login(url: string,credentials: FormGroup): any {
return this.httpClient.post(url,null)
.pipe(catchError(this.errorHandler));
}
Http拦截器
constructor(private cookieService: CookieService) { }
intercept(req: HttpRequest<any>,next: HttpHandler): Observable<HttpEvent<any>> {
let newHeaders: HttpHeaders = req.headers;
let xsrfToken = this.cookieService.get("XSRF-TOKEN");
if (xsrfToken != null && xsrfToken !== undefined) {
newHeaders = newHeaders.append("X-XSRF-TOKEN",xsrfToken);
} else {
newHeaders = newHeaders.append("X-XSRF-TOKEN","UNKN0WNT0K3N");
}
newHeaders = newHeaders.append("Cache-control","no-cache,no-store,must-revalidate");
newHeaders = newHeaders.append("Pragma","no-cache");
newHeaders = newHeaders.append("Expires","0");
const authRequest = req.clone({headers: newHeaders,withCredentials: true});
return next.handle(authRequest);
}
网络安全配置
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
RequestMatcher csrfRequestMatcher = new RequestMatcher() {
private AntPathRequestMatcher[] requestMatchers = {
new AntPathRequestMatcher("/admin/**")
};
@Override
public boolean matches(HttpServletRequest servletRequest) {
for (AntPathRequestMatcher rm : requestMatchers) {
if (rm.matches(servletRequest)) {
return true;
}
}
return false;
}
};
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.requireCsrfProtectionMatcher(csrfRequestMatcher)
.csrfTokenRepository(csrfTokenRepository())
.and()
.addFilterAfter(new CsrfHeaderFilter(),CsrfFilter.class)
.authorizeRequests()
.and()
.authorizeRequests()
.antMatchers("/login").permitAll()
.and()
.logout()
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID")
.permitAll();
}
private CookieCsrfTokenRepository csrfTokenRepository() {
CookieCsrfTokenRepository cookieRepository = new CookieCsrfTokenRepository();
cookieRepository.setHeaderName("X-XSRF-TOKEN");
cookieRepository.setCookieName("XSRF-TOKEN");
cookieRepository.setCookiePath("/");
cookieRepository.setCookieHttpOnly(false);
return cookieRepository;
}
}
标准CSRF Cookie类
public class CsrfHeaderFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request,HttpServletResponse response,FilterChain chain) throws ServletException,IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request,"XSRF-TOKEN");
String token = csrf.getToken();
if (cookie == null || (token != null && !token.equals(cookie.getValue()))) {
cookie = new Cookie("XSRF-TOKEN",token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
chain.doFilter(request,response);
}
}
Cors标头类
@Component
public class CorsHeaders extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest servletRequest,HttpServletResponse servletResponse,IOException {
String header = servletRequest.getHeader("Origin");
if (header != null && !header.isEmpty()) {
servletResponse.addHeader("Access-Control-Allow-Origin",header);
servletResponse.addHeader("Access-Control-Allow-Methods","GET,POST,PUT,OPTIONS,DELETE");
servletResponse.addHeader("Access-Control-Allow-Credentials","true");
servletResponse.addHeader("Access-Control-Allow-Headers","Pragma,cache-control,expires,Content-Type,x-xsrf-token,xsrf-token");
}
}
}
出于完整性考虑:登录URI方法
@RestController
@CrossOrigin(origins = "*",maxAge = 3600)
@RequestMapping(path = "/account/portal")
public class AccountController {
{
.
.
.
@PostMapping(path = "/login")
public @ResponseBody boolean login() {
if (user != null && !user.getUsername().equals("") && !user.getPassword().equals(""))
return managementService.loginUser(user.getUsername());
return false;
}
.
.
.
}
让我知道您还有什么需要更好地理解我的问题。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。