跨源资源共享(CORS)概念实现（用Spring）起源介绍

Posted 2021-02-15 利威尔兵长

本文内容引用自：

https://howtodoinjava.com/spring5/webmvc/spring-mvc-cors-configuration/

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

• 基本概念

　　　跨源资源共享(Cross-Origin Resource Sharing, CORS)是一种机制，它使用额外的HTTP头文件告诉浏览器，让在一个源(域)运行的web应用程序有权访问来自不同源服务器的选定资源。当web应用程序请求源(域、协议和端口)与自己的源不同的资源时，它将执行跨源HTTP请求。

• 跨源请求的示例：

　　   来自http://domain-a.com的Web应用程序的前端javascript代码使用XMLHttpRequest来请求http://api.domain-b.com/data.json 。

• 安全策略

　　   出于安全原因，浏览器限制从脚本内发起的跨源HTTP请求。例如，XMLHttpRequest与提取API遵循同源策略。这意味着使用这些API的Web应用程序只能从加载应用程序的同一源请求HTTP资源，除非来自其他来源的响应包含正确的CORS标头。

• implementation in Spring

　　   

1. Spring CORS – Method level with @CrossOrigin

Spring MVC provides @CrossOrigin annotation. This annotation marks the annotated method or type as permitting cross origin requests.

1.1. Spring CORS allow all

By default, @CrossOrigin allows all origins, all headers, the HTTP methods specified in the @RequestMapping annotation and a maxAge of 30 minutes.

You can override default CORS settings by giving value to annotation attributes :

ATTRIBUTE	DESCRIPTION
origins	List of allowed origins. It’s value is placed in the Access-Control-Allow-Origin header of both the pre-flight response and the actual response. – * – means that all origins are allowed. – If undefined, all origins are allowed.
allowedHeaders	List of request headers that can be used during the actual request. Value is used in preflight’s response header Access-Control-Allow-Headers. – * – means that all headers requested by the client are allowed. – If undefined, all requested headers are allowed.
methods	List of supported HTTP request methods. If undefined, methods defined by RequestMapping annotation are used.
exposedHeaders	List of response headers that the browser will allow the client to access. Value is set in actual response header Access-Control-Expose-Headers. – If undefined, an empty exposed header list is used.
allowCredentials	It determine whether browser should include any cookies associated with the request. – false – cookies should not included. – "" (empty string) – means undefined. – true – pre-flight response will include the header Access-Control-Allow-Credentials with value set to true. – If undefined, credentials are allowed.
maxAge	maximum age (in seconds) of the cache duration for pre-flight responses. Value is set in header Access-Control-Max-Age. – If undefined, max age is set to 1800 seconds (30 minutes).

1.2. @CrossOrigin at Class/Controller Level

HomeController.java

@CrossOrigin(origins = "*", allowedHeaders = "*") @Controller public class HomeController {     @GetMapping(path="/")     public String homeInit(Model model) {         return "home";     } }

Read More – Spring 5 MVC Example

1.3. @CrossOrigin at Method Level

HomeController.java

@Controller public class HomeController {     @CrossOrigin(origins = "*", allowedHeaders = "*")     @GetMapping(path="/")     public String homeInit(Model model) {         return "home";     } }

1.4. @CrossOrigin Overridden at Method Level

homeInit() method will be accessible only from domain http://example.com. Rest other methods in HomeController will be accessible from all domains.

HomeController.java

@Controller @CrossOrigin(origins = "*", allowedHeaders = "*") public class HomeController {     @CrossOrigin(origins = "http://example.com")     @GetMapping(path="/")     public String homeInit(Model model) {         return "home";     } }

2. Spring CORS – Global CORS configuration

2.1. Spring MVC CORS with WebMvcConfigurerAdapter

To enable CORS for the whole application, use WebMvcConfigurerAdapter to add CorsRegistry.

CorsConfiguration.java

@Configuration @EnableWebMvc public class CorsConfiguration extends WebMvcConfigurerAdapter {     @Override     public void addCorsMappings(CorsRegistry registry) {         registry.addMapping("/**")                 .allowedMethods("GET", "POST");     } }

2.2. Spring Boot CORS with WebMvcConfigurer

In spring boot application, it is recommended to just declare a WebMvcConfigurer bean.

CorsConfiguration.java

@Configuration public class CorsConfiguration {     @Bean     public WebMvcConfigurer corsConfigurer()     {         return new WebMvcConfigurerAdapter() {             @Override             public void addCorsMappings(CorsRegistry registry) {                 registry.addMapping("/**");             }         };     } }

2.3. CORS with Spring Security

To enable CORS support through Spring security, configure CorsConfigurationSource bean and use HttpSecurity.cors() configuration.

WebSecurityConfig.java

@EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter {       @Override     protected void configure(HttpSecurity http) throws Exception {         http.cors().and()             //other config     }       @Bean     CorsConfigurationSource corsConfigurationSource()     {         CorsConfiguration configuration = new CorsConfiguration();         configuration.setAllowedOrigins(Arrays.asList("https://example.com"));         configuration.setAllowedMethods(Arrays.asList("GET","POST"));         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();         source.registerCorsConfiguration("/**", configuration);         return source;     } }

出于安全原因，浏览器限制从脚本内发起的跨源HTTP请求。例如，XMLHttpRequest与提取API遵循同源策略。这意味着使用这些API的Web应用程序只能从加载应用程序的同一源请求HTTP资源，除非来自其他来源的响应包含正确的CORS标头。