We are building an Angular Material application, consuming a RESTful Spring MVC API, with Spring Security & OAUTH2.
我们正在构建一个有棱角的材料应用程序,使用基于rest的Spring MVC API,使用Spring Security & OAUTH2。
For testing purpose, we gave ROLE_ANONYMOUS access to our /users endpoint:
为了测试目的,我们为我们/用户端点提供了ROLE_ANONYMOUS访问:
<intercept-url pattern="/users" method="POST" access="ROLE_ANONYMOUS"/>
But when we try to send a JSON by POST, we still get a 401 response from the server.
但是当我们尝试通过POST发送JSON时,仍然会从服务器获得401响应。
- This is not happening with non-angular clients like Postman.
- 这种情况不会发生在像邮递员这样的非棱角分明的客户身上。
- If we disable the Spring Security filter, everything works fine.
- 如果我们禁用Spring安全过滤器,一切都会正常工作。
- GET requests to the same endpoint also work fine.
- 将请求发送到相同的端点也可以正常工作。
This is our app.config:
这是我们app.config:
angular.module('App')
.constant('RESOURCES', (function () {
var resource = 'http://localhost:8080';
return {
USERS: resource + '/users'
}
})());
And the factory doing the POST method:
工厂做岗位方法:
app.factory('LoginUser', ['RESOURCES', '$resource', function (RESOURCES, $resource) {
return $resource(RESOURCES.USERS, null, {
add: {method: 'POST'}
});
}]);
And the signup method in the controller:
控制器中的注册方法:
function signup(user) {
LoginUser.add({}, JSON.stringify(user));
}
We have the SimpleCORSFilter setup in the server following the Spring guide.
我们在服务器中按照Spring指南设置了SimpleCORSFilter。
You can see the comparison between the postman POST and the AngularJS POST here:
你可以在这里看到邮递员和AngularJS的比较:
The header marked in red is a custom one we have to add in Postman in order to avoid a 415 unsupported media type.
标为红色的标头是一个定制的标头,我们必须在Postman中添加该标头,以避免出现415个不支持的媒体类型。
We tried to put custom headers in the POST request in AngularJS, but it doesn't seem to be working:
我们试图在AngularJS的POST请求中添加自定义标题,但它似乎没有作用:
.config(function ($httpProvider) {
$httpProvider.defaults.headers.put['Content-Type'] = $httpProvider.defaults.headers.post['Content-Type'] =
'application/json; charset=UTF-8';
});
1 个解决方案
#1
3
Ok, after reviewing the screenshot, we noticed the method was OPTIONS instead of POST.
好的,在查看了截图后,我们注意到方法是OPTIONS而不是POST。
The problem was not in the headers (we were checking those so much that we weren't seeing the obvious), but in the pre-flight request OPTIONS due to CORS. Here's a nice article about it. Our Spring Security was configured for the POST method, but not for the OPTIONS. We changed it and now it works like a charm:
问题不在于报头(我们检查了那么多,以至于没有看到明显的信息),而在于飞行前请求选项(由于CORS)。这是一篇很好的文章。我们的Spring安全性配置为POST方法,而不是选项。我们改变了它,现在它就像一个魅力:
<intercept-url pattern="/users" method="POST" access="ROLE_ANONYMOUS"/>
<intercept-url pattern="/users" method="OPTIONS" access="ROLE_ANONYMOUS"/>
#1
3
Ok, after reviewing the screenshot, we noticed the method was OPTIONS instead of POST.
好的,在查看了截图后,我们注意到方法是OPTIONS而不是POST。
The problem was not in the headers (we were checking those so much that we weren't seeing the obvious), but in the pre-flight request OPTIONS due to CORS. Here's a nice article about it. Our Spring Security was configured for the POST method, but not for the OPTIONS. We changed it and now it works like a charm:
问题不在于报头(我们检查了那么多,以至于没有看到明显的信息),而在于飞行前请求选项(由于CORS)。这是一篇很好的文章。我们的Spring安全性配置为POST方法,而不是选项。我们改变了它,现在它就像一个魅力:
<intercept-url pattern="/users" method="POST" access="ROLE_ANONYMOUS"/>
<intercept-url pattern="/users" method="OPTIONS" access="ROLE_ANONYMOUS"/>