Spring Security使用Oauth2时的跨域问题

本文讲述的是访问oauth/token的时候发生跨域问题，但已经加了cros还是不能解决的

通过日志查看得知，是因为Spring Security启动了两个过滤链

o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/oauth/token'], Ant [pattern='/oauth/token_key'], Ant [pattern='/oauth/check_token']]], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@e4348c0, org.springframework.security.web.context.SecurityContextPersistenceFilter@1382a7d8, org.springframework.security.web.header.HeaderWriterFilter@60e80279, org.springframework.security.web.authentication.logout.LogoutFilter@568c9ee1, org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter@285c63cf, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@6f1163f7, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@6074d638, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@402feb85, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@4ca907af, org.springframework.security.web.session.SessionManagementFilter@7fc56d61, org.springframework.security.web.access.ExceptionTranslationFilter@45b6c666, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@7e451790]

o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/login'], Ant [pattern='/oauth/authorize'], Ant [pattern='/oauth/token'], Ant [pattern='/sms/validate'], Ant [pattern='/user']]], [com.eryun.identity.server.config.CustomerCorsFilter@3b0ed98a, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@76c587ce, org.springframework.security.web.context.SecurityContextPersistenceFilter@2ae5580, org.springframework.security.web.header.HeaderWriterFilter@533d7c61, org.springframework.web.filter.CorsFilter@2ae7c1d, org.springframework.security.web.authentication.logout.LogoutFilter@3fc5d397, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@7d82ca56, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@36eb8e07, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@5265a8dd, org.springframework.security.web.session.SessionManagementFilter@470f0637, org.springframework.security.web.access.ExceptionTranslationFilter@48f4264e, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@e4bb10b]

 

/oauth/*被加入到另一个Spring Security自己的过滤链了，没有进入我自己写的 CustomerCorsFilter 里，那就只能把自己的过滤链先于系统自带的加载才行

通过对Filter和WebSecurityConfigurerAdapter 加入Order使其优先加载即可解决

package com.eryun.identity.server.config;

import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlbasedCorsConfigurationSource;

import java.util.Arrays;
import java.util.List;
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class CustomerCorsFilter extends org.springframework.web.filter.CorsFilter {
    public CustomerCorsFilter() {
        super(configurationSource());
    }

    private static UrlbasedCorsConfigurationSource configurationSource() {
        CorsConfiguration corsConfig = new CorsConfiguration();
        List allowedHeaders = Arrays.asList("x-auth-token", "content-type", "X-Requested-With", "XMLHttpRequest","Access-Control-Allow-Origin","Authorization","authorization");
        List exposedHeaders = Arrays.asList("x-auth-token", "content-type", "X-Requested-With", "XMLHttpRequest","Access-Control-Allow-Origin","Authorization","authorization");
        List allowedMethods = Arrays.asList("POST", "GET", "DELETE", "PUT", "OPTIONS");
        List allowedOrigins = Arrays.asList("*");
        corsConfig.setAllowedHeaders(allowedHeaders);
        corsConfig.setAllowedMethods(allowedMethods);
        corsConfig.setAllowedOrigins(allowedOrigins);
        corsConfig.setExposedHeaders(exposedHeaders);
        corsConfig.setMaxAge(36000L);
        corsConfig.setAllowCredentials(true);

        UrlbasedCorsConfigurationSource source = new UrlbasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", corsConfig);
        return source;
    }
}

@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
@EnableWebSecurity
@Order(Ordered.HIGHEST_PRECEDENCE)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private CustomerCorsFilter customerCorsFilter;
    @Autowired
    private UserDetailsConfig userDetailsConfig;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.requestMatchers()
                .antMatchers("/login", "/oauth/authorize", "/oauth/token", "/sms/validate", "/user").and().cors().and().csrf().disable()
                .authorizeRequests()
                .anyRequest().authenticated().and().addFilterBefore(customerCorsFilter, WebAsyncManagerIntegrationFilter.class);
    }
}