Detailed explanation of preflight request and cross domain problems in spring security

Spring Security

Spring security is a security framework that can provide a comprehensive security access control solution for J2EE projects. It depends on the servlet filter. These filters intercept incoming requests and do some security processing before the application processes the request.

Spring security intercepts user requests as follows:

background

In a front end and back-end development project, spring security is used as the security framework, and JWT is used to realize permission management and improve the security of restful API. The first problem encountered is the cross domain problem, but in the process of carrying the JWT request, the server cannot obtain the JWT.

Cross domain problem

The problem of CORS (cross domain resource sharing) is encountered in the development process. It is simply set on the server side to allow cross domain access, but it occurs in the process of carrying JWT requests

Because JWT is placed in the request header, it ignores the header field allowed to be fixed in cross domain processing

The online search mentioned that the options request should be processed and returned 200, but the test did not work

The options request here is actually a preflight request

Preflight request

However, the problem remains unsolved, as follows

Google didn't know about the preflight request until it had

When we call the background interface, we often find that the request is made twice. In fact, the first one is the preflight request.

Why preflight request

We all know the same origin policy of the browser. For security reasons, the browser will restrict cross domain HTTP requests initiated from scripts. For example, XMLHttpRequest and fetch follow the same origin policy.

There are generally two ways for browsers to restrict cross domain requests:

The browser restricts the initiation of cross domain requests. Cross domain requests can be initiated normally, but the returned results are intercepted by the browser

Generally, browsers restrict cross domain requests in the second way, that is, the request has arrived at the server and may have operated on the data in the database, but the returned results are intercepted by the browser, so we can't get the returned results. This is a failed request, but it may have an impact on the data in the database.

In order to prevent this situation, the specification requires that for this HTTP request method that may have side effects on the server data, the browser must first initiate a pre check request using the options method to know whether the server allows the cross domain request: if so, send a real request with data; If not allowed, real requests with data are blocked.

The browser divides CORS requests into two categories: simple requests and non simple requests.

Simple request

1. The request method is one of the following three methods

2. The HTTP header information does not exceed the following fields

If the above two conditions are not met at the same time, it is a non simple request.

The browser handles these two requests differently.

Non simple request

Non simple requests are those that have special requirements for the server. For example, the request method is put or delete, or the type of content type field is application / JSON.

For CORS requests that are not simple requests, an HTTP query request will be added before formal communication, which is called "preflight"

Refer to the link at the bottom for more details on CORS

resolvent

If spring security is used as the security framework in the background and preflight is not processed accordingly, the request will lead to permission control failure.

The processing is also very simple. You only need to add the release preflight request in the configure method of the spring security configuration class

Finally, the problem is solved!

summary

The above is the whole content of this article. I hope the content of this article has a certain reference value for your study or work. If you have any questions, you can leave a message. Thank you for your support for programming tips.

reference resources:

Front end | brief introduction to preflight request cross domain resource sharing CORS

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.
THE END
分享
二维码
< <上一篇
下一篇>>