跨源资源共享(CORS)概念实现(用Spring)起源介绍
Posted 利威尔兵长
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了跨源资源共享(CORS)概念实现(用Spring)起源介绍相关的知识,希望对你有一定的参考价值。
本文内容引用自:
https://howtodoinjava.com/spring5/webmvc/spring-mvc-cors-configuration/
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
-
基本概念
跨源资源共享(Cross-Origin Resource Sharing, CORS)是一种机制,它使用额外的HTTP头文件告诉浏览器,让在一个源(域)运行的web应用程序有权访问来自不同源服务器的选定资源。当web应用程序请求源(域、协议和端口)与自己的源不同的资源时,它将执行跨源HTTP请求。
-
跨源请求的示例:
来自http://domain-a.com的Web应用程序的前端javascript代码使用XMLHttpRequest来请求http://api.domain-b.com/data.json 。
-
安全策略
出于安全原因,浏览器限制从脚本内发起的跨源HTTP请求。例如,XMLHttpRequest
与提取API遵循同源策略。这意味着使用这些API的Web应用程序只能从加载应用程序的同一源请求HTTP资源,除非来自其他来源的响应包含正确的CORS标头。
-
implementation in Spring
1. Spring CORS – Method level with @CrossOrigin
Spring MVC provides @CrossOrigin
annotation. This annotation marks the annotated method or type as permitting cross origin requests.
1.1. Spring CORS allow all
By default, @CrossOrigin allows all origins, all headers, the HTTP methods specified in the @RequestMapping
annotation and a maxAge
of 30 minutes.
You can override default CORS settings by giving value to annotation attributes :
ATTRIBUTE | DESCRIPTION |
---|---|
origins |
List of allowed origins. It’s value is placed in the Access-Control-Allow-Origin header of both the pre-flight response and the actual response.– * – means that all origins are allowed.– If undefined, all origins are allowed. |
allowedHeaders |
List of request headers that can be used during the actual request. Value is used in preflight’s response header Access-Control-Allow-Headers .– * – means that all headers requested by the client are allowed.– If undefined, all requested headers are allowed. |
methods |
List of supported HTTP request methods. If undefined, methods defined by RequestMapping annotation are used. |
exposedHeaders |
List of response headers that the browser will allow the client to access. Value is set in actual response header Access-Control-Expose-Headers .– If undefined, an empty exposed header list is used. |
allowCredentials |
It determine whether browser should include any cookies associated with the request. – false – cookies should not included.– "" (empty string) – means undefined.– true – pre-flight response will include the header Access-Control-Allow-Credentials with value set to true.– If undefined, credentials are allowed. |
maxAge |
maximum age (in seconds) of the cache duration for pre-flight responses. Value is set in header Access-Control-Max-Age .– If undefined, max age is set to 1800 seconds (30 minutes). |
1.2. @CrossOrigin at Class/Controller Level
@CrossOrigin (origins = "*" , allowedHeaders = "*" ) @Controller public class HomeController { @GetMapping (path= "/" ) public String homeInit(Model model) { return "home" ; } } |
Read More – Spring 5 MVC Example
1.3. @CrossOrigin at Method Level
@Controller public class HomeController { @CrossOrigin (origins = "*" , allowedHeaders = "*" ) @GetMapping (path= "/" ) public String homeInit(Model model) { return "home" ; } } |
1.4. @CrossOrigin Overridden at Method Level
homeInit()
method will be accessible only from domain http://example.com
. Rest other methods in HomeController
will be accessible from all domains.
@Controller @CrossOrigin (origins = "*" , allowedHeaders = "*" ) public class HomeController { @GetMapping (path= "/" ) public String homeInit(Model model) { return "home" ; } } |
2. Spring CORS – Global CORS configuration
2.1. Spring MVC CORS with WebMvcConfigurerAdapter
To enable CORS for the whole application, use WebMvcConfigurerAdapter
to add CorsRegistry
.
@Configuration @EnableWebMvc public class CorsConfiguration extends WebMvcConfigurerAdapter { @Override public void addCorsMappings(CorsRegistry registry) { registry.addMapping( "/**" ) .allowedMethods( "GET" , "POST" ); } } |
2.2. Spring Boot CORS with WebMvcConfigurer
In spring boot application, it is recommended to just declare a WebMvcConfigurer
bean.
@Configuration public class CorsConfiguration { @Bean public WebMvcConfigurer corsConfigurer() { return new WebMvcConfigurerAdapter() { @Override public void addCorsMappings(CorsRegistry registry) { registry.addMapping( "/**" ); } }; } } |
2.3. CORS with Spring Security
To enable CORS support through Spring security, configure CorsConfigurationSource
bean and use HttpSecurity.cors()
configuration.
@EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.cors().and() //other config } @Bean CorsConfigurationSource corsConfigurationSource() { CorsConfiguration configuration = new CorsConfiguration(); configuration.setAllowedMethods(Arrays.asList( "GET" , "POST" )); UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration( "/**" , configuration); return source; } } |
出于安全原因,浏览器限制从脚本内发起的跨源HTTP请求。例如,XMLHttpRequest
与提取API遵循同源策略。这意味着使用这些API的Web应用程序只能从加载应用程序的同一源请求HTTP资源,除非来自其他来源的响应包含正确的CORS标头。
以上是关于跨源资源共享(CORS)概念实现(用Spring)起源介绍的主要内容,如果未能解决你的问题,请参考以下文章
CORS(跨源资源共享)https 不工作(IIS 托管 WCF 休息启用端点)