Detailed explanation of preflight request and cross domain problems in spring security
Spring Security
Spring security is a security framework that can provide a comprehensive security access control solution for J2EE projects. It depends on the servlet filter. These filters intercept incoming requests and do some security processing before the application processes the request.
Spring security intercepts user requests as follows:
background
In a front end and back-end development project, spring security is used as the security framework, and JWT is used to realize permission management and improve the security of restful API. The first problem encountered is the cross domain problem, but in the process of carrying the JWT request, the server cannot obtain the JWT.
Cross domain problem
The problem of CORS (cross domain resource sharing) is encountered in the development process. It is simply set on the server side to allow cross domain access, but it occurs in the process of carrying JWT requests
Because JWT is placed in the request header, it ignores the header field allowed to be fixed in cross domain processing
The online search mentioned that the options request should be processed and returned 200, but the test did not work
The options request here is actually a preflight request
Preflight request
However, the problem remains unsolved, as follows
Google didn't know about the preflight request until it had
When we call the background interface, we often find that the request is made twice. In fact, the first one is the preflight request.
Why preflight request
We all know the same origin policy of the browser. For security reasons, the browser will restrict cross domain HTTP requests initiated from scripts. For example, XMLHttpRequest and fetch follow the same origin policy.
There are generally two ways for browsers to restrict cross domain requests:
The browser restricts the initiation of cross domain requests. Cross domain requests can be initiated normally, but the returned results are intercepted by the browser
Generally, browsers restrict cross domain requests in the second way, that is, the request has arrived at the server and may have operated on the data in the database, but the returned results are intercepted by the browser, so we can't get the returned results. This is a failed request, but it may have an impact on the data in the database.
In order to prevent this situation, the specification requires that for this HTTP request method that may have side effects on the server data, the browser must first initiate a pre check request using the options method to know whether the server allows the cross domain request: if so, send a real request with data; If not allowed, real requests with data are blocked.
The browser divides CORS requests into two categories: simple requests and non simple requests.
Simple request
1. The request method is one of the following three methods
2. The HTTP header information does not exceed the following fields
If the above two conditions are not met at the same time, it is a non simple request.
The browser handles these two requests differently.
Non simple request
Non simple requests are those that have special requirements for the server. For example, the request method is put or delete, or the type of content type field is application / JSON.
For CORS requests that are not simple requests, an HTTP query request will be added before formal communication, which is called "preflight"
Refer to the link at the bottom for more details on CORS
resolvent
If spring security is used as the security framework in the background and preflight is not processed accordingly, the request will lead to permission control failure.
The processing is also very simple. You only need to add the release preflight request in the configure method of the spring security configuration class
Finally, the problem is solved!
summary
The above is the whole content of this article. I hope the content of this article has a certain reference value for your study or work. If you have any questions, you can leave a message. Thank you for your support for programming tips.
reference resources:
Front end | brief introduction to preflight request cross domain resource sharing CORS