问题描述:

Some background : I have an existing application built in Spring MVC and html5/css/jquery. It is currently secured by spring security. The login form POSTs to /j_spring_security_check.action with the username and password and the cookie/JSESSIONID gets automatically set in the browser.

The issue : We are building a (hybrid) mobile app using ionic/Angular.js and I'm having trouble with simple authentication. Is there any way to mimic the behaviour in Angular ?

I have tried the following piece of code without any luck - Spring security says the headers are invalid.

$http({

method: 'POST',

url: 'https://localhost:8080/j_spring_security_check.action',

withCredentials:true,

headers: {'Content-Type': 'application/x-www-form-urlencoded'},

data: '[email protected]&j_password=abc123',

})

.success(function(){})

.error(function(){});

It would be nice to be able to get spring security to recognize the user on each REST call so I would be able to use spring security annotations such as @Role etc...

Thanks !

网友答案:

add this to your code

public class CorsFilter extends OncePerRequestFilter {
    static final String ORIGIN = "Origin";

    @Override
    protected void doFilterInternal(HttpServletRequest request,
            HttpServletResponse response, FilterChain filterChain)
            throws ServletException, IOException {
        System.out.println(request.getHeader(ORIGIN));
        System.out.println(request.getMethod());
        if (request.getHeader(ORIGIN) == null) {
            response.addHeader("Access-Control-Allow-Origin", "*");// * or
                                                                    // origin as
                                                                    // u prefer
            response.addHeader("Access-Control-Allow-Credentials", "false");
            response.addHeader("Access-Control-Allow-Methods",
                    "GET, POST, PUT, DELETE");

            response.addHeader("Access-Control-Allow-Headers",
                    request.getHeader("Access-Control-Request-Headers"));
        } else {
            response.addHeader("Access-Control-Allow-Origin", request.getHeader(ORIGIN));// * or
            // origin as
            // u prefer
            response.addHeader("Access-Control-Allow-Credentials", "true");
            response.addHeader("Access-Control-Allow-Methods",
                    "GET, POST, PUT, DELETE");

            response.addHeader("Access-Control-Allow-Headers",
                    request.getHeader("Access-Control-Request-Headers"));
        }
        if (request.getMethod().equals("OPTIONS")) {
            try {
                response.getWriter().print("OK");
                response.getWriter().flush();
            } catch (IOException e) {
                e.printStackTrace();
            }
        } else {
            filterChain.doFilter(request, response);
        }
    }
}

also you should to add in your xml web security file

<beans:bean id="CorsFilter" class="com.yourpackagetoyourclass.CorsFilter" />
    <custom-filter ref="CorsFilter" after="PRE_AUTH_FILTER" />
相关阅读:
Top