403 Forbidden Spring Boot Web Socket Call

Question

21 浏览2023年3月22日

匿名的 2023年3月22日

0 Comments

我使用的是Spring Boot 1.3.0.RELEASE版本。我的代码是基于Spring Boot中使用Stomp和SocketJS的websocket起步指南。当我从localhost:8080（Spring服务器）运行客户端时，当然可以正常工作。直到我尝试从不同的端口调用它时，我才会收到403 Forbidden的错误。我的CorsFilter设置如下。[点击此处查看Spring Boot中使用websocket的起步指南](https://spring.io/guides/gs/messaging-stomp-websocket/)。

我的客户端是 ....http://localhost:3000

我的Spring Boot服务器是... http://localhost:8080

我设置了CorsFilter来访问我的客户端...

CorsFilter

package hello;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Component
public class CorsFilter implements Filter {
    private final Logger log = LoggerFactory.getLogger(CorsFilter.class);
    public CorsFilter() {
        log.info("SimpleCORSFilter init");
    }
    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        String clientOrigin = request.getHeader("origin");
        response.addHeader("Access-Control-Allow-Origin", clientOrigin);
        response.setHeader("Access-Control-Allow-Methods", "POST, GET,  DELETE, PUT");
        response.setHeader("Access-Control-Allow-Credentials", "true");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers",
                "Origin, Accept, X-Requested-With, Content-Type, " +
                        "Access-Control-Request-Method, Access-Control-Request-Headers");
        if (request.getMethod().equals("OPTIONS")) {
            response.setStatus(HttpServletResponse.SC_OK);
        } else {
            chain.doFilter(request, response);
        }
    }
    @Override
    public void init(FilterConfig filterConfig) {
    }
    @Override
    public void destroy() {
    }
}

请求头

Accept:*/*


Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Host:localhost:8080
Origin:http://localhost:3000
Referer:http://localhost:3000/
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36

响应头

Access-Control-Allow-Credentials:true
Access-Control-Allow-Methods:POST, GET,  DELETE, PUT
Access-Control-Allow-Origin:http://localhost:3000
Access-Control-Max-Age:3600
Cache-Control:no-store, no-cache, must-revalidate, max-age=0
Content-Length:0
Date:Wed, 02 Dec 2015 13:59:25 GMT
Server:Apache-Coyote/1.1

0

1 答案

匿名的 · Answer 1 · 2023-05-15T08:05:38+00:00

问题出现的原因是因为在调用Spring Boot Web Socket时出现了403 Forbidden错误。解决方法是使用`setAllowedOrigins`方法来允许特定的来源访问。具体的配置代码如下：

public class WebSocketConfig extends AbstractWebSocketMessageBrokerConfigurer {
  public void configureMessageBroker(MessageBrokerRegistry config) {
    config.enableSimpleBroker("/your/topic");
    config.setApplicationDestinationPrefixes("/yourapp");
  }
  public void registerStompEndpoints(StompEndpointRegistry registry) {
    registry.addEndpoint("/your/endpoint").setAllowedOrigins("http://localhost:3000").withSockJS();
  }
}

上述配置允许在localhost:3000上运行的stomp客户端订阅`/your/endpoint`。如果想要在Spring Boot应用程序中监听多个端口，可以参考这里的配置方法：stackoverflow.com/questions/36357135/…。

需要注意的是，上述配置只适用于localhost，如果在服务器上调用托管的websocket时仍然遇到CORS错误，可以尝试使用`setAllowedOrigins`方法来设置允许的来源。例如：

registry.addEndpoint("/your/endpoint").setAllowedOrigins("https://example.com").withSockJS();

这样就可以允许`https://example.com`访问`/your/endpoint`了。