Disable Spring Security for OPTIONS Http Method

前端未结

关注

 6  2432

自闭症患者

Is it possible to disable Spring Security for a type of HTTP Method?

We have a Spring REST application with services that require Authorization token to be attached

相关标签:

6条回答

栀梦

2020-11-27 14:12

In some cases, it is needed add configuration.setAllowedHeaders(Arrays.asList("Content-Type")); to corsConfigurationSource() when using WebSecurityConfigurerAdapter to solve the cors problem.

0 讨论(0)
发布评论:

提交评论
- 加载中...
北恋

2020-11-27 14:22
In case someone is looking for an easy solution using Spring Boot. Just add an additional bean:
```
   @Bean
   public IgnoredRequestCustomizer optionsIgnoredRequestsCustomizer() {
      return configurer -> {
         List<RequestMatcher> matchers = new ArrayList<>();
         matchers.add(new AntPathRequestMatcher("/**", "OPTIONS"));
         configurer.requestMatchers(new OrRequestMatcher(matchers));
      };
   }
```
Please note that depending on your application this may open it for potential exploits.

Opened issue for a better solution: https://github.com/spring-projects/spring-security/issues/4448
0 讨论(0)
发布评论:

提交评论
- 加载中...

旧巷少年郎

2020-11-27 14:25

If you're using annotation-based security config then you should add spring's CorsFilter to the application context by calling .cors() in your config, something like this:

@Override
protected void configure(HttpSecurity http) throws Exception
{
     http
    .csrf().disable()
    .authorizeRequests()
      .antMatchers("/resources/**").permitAll()
      .anyRequest().authenticated()
    .and()
    .formLogin()
    .and()
    .httpBasic()
    .and()
    .cors();
}

0 讨论(0)

一整个雨季

2020-11-27 14:32

Allow all OPTIONS in context:

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**");
    }

0 讨论(0)

名媛妹妹

2020-11-27 14:33

If you're using an annotation based security config file (@EnableWebSecurity & @Configuration) you can do something like the following in the configure() method to allow for the OPTION requests to be permitted by Spring Security without authentication for a given path:

@Override
protected void configure(HttpSecurity http) throws Exception
{
     http
    .csrf().disable()
    .authorizeRequests()
      .antMatchers(HttpMethod.OPTIONS,"/path/to/allow").permitAll()//allow CORS option calls
      .antMatchers("/resources/**").permitAll()
      .anyRequest().authenticated()
    .and()
    .formLogin()
    .and()
    .httpBasic();
}

0 讨论(0)

忘掉有多难

2020-11-27 14:36
Have you tried this

You can use multiple elements to define different access requirements for different sets of URLs, but they will be evaluated in the order listed and the first match will be used. So you must put the most specific matches at the top. You can also add a method attribute to limit the match to a particular HTTP method (GET, POST, PUT etc.).
```
<http auto-config="true">
    <intercept-url pattern="/client/edit" access="isAuthenticated" method="GET" />
    <intercept-url pattern="/client/edit" access="hasRole('EDITOR')" method="POST" />
</http>
```
Above means you need to select the url pattern to intercept and what methods you want
0 讨论(0)
发布评论:

提交评论
- 加载中...