1
當我注意到一些看起來很奇怪的東西時,我正在使用hmac在我的角度應用程序中實現spring security。Cors隱藏標題Angular JS?
有人可以解釋爲什麼我沒有得到 「X-HMAC-CSRF」,「X-Secret」,「WWW-Authenticate」值 in my console.log?
console.log(JSON.stringify(response.headers()))
{"pragma":"no-cache","content-type":"application/json;charset=UTF-8","cache-
control":"no-cache, no-store, max-age=0, must-revalidate","expires":"0"}
雖然我在網絡(F12)正確地得到他們,這是不可能記錄他們 一些代碼片段:
public static final String WWW_AUTHENTICATE = "WWW-Authenticate";
public static final String X_SECRET = "X-Secret";
public static final String CSRF_CLAIM_HEADER = "X-HMAC-CSRF";
response.setHeader(X_SECRET, filteredUrl);
response.setHeader(WWW_AUTHENTICATE,HmacUtils.HMAC_SHA_256);
response.setHeader(CSRF_CLAIM_HEADER, csrfId);
response.addCookie(jwtCookie);
我也加入CORS過濾器,因爲後臺和前臺都不在同一個域:
@Slf4j
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class CorsFilter implements Filter {
@PostConstruct
public void init() {
log.info("Setup cors filter");
}
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
//TODO ALLOW ALL ORIGIN ???
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "GET,POST,PUT,OPTIONS,DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "Origin, If-Modified-Since, Accept, Authorization, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, X-Handle-Errors-Generically");
chain.doFilter(req, res);
}