Spring解决跨域请求

文章目錄

1. 1. Controller method CORS configuration
   1. 1.1. for a method
   2. 1.2. for the controller
   3. 1.3. both of controller and method
2. 2. Global CORS configuration
   1. 2.1. JavaConfig
   2. 2.2. Filter based CORS support
3. 3. CORS of REST of Spring
4. 4. 参考文章

为了安全起见，浏览器禁止发送跨域的ajax请求。在Spring4.2中，Cross-origin rsource sharing(CORS) 跨源资源共享 is supported out of the box。CORS请求(包括具有OPTIONS方法的预检)都会被自动调度到不同的注册好的HandlerMapping中。他们能够管理CORS预检请求， 拦截简单的CORS和实际请求。是因为有了CorsProcessor实例化(默认是DefaultCorsProcessor)才能添加你所配置的头信息到相关的CORS响应。

Controller method CORS configuration

You can add an @CrossOrigin annotation to your @RequestMapping annotated handler method in order to enable CORS on it.

for a method

默认的@CrossOrigin允许所有的origins和@RequestMapping注解中规定的http方法。for example

src/main/java/com.mengyunzhi/controller/PersonController.java

@RestController
@RequestMapping("/Person")
public class PersonController {

    @Autowired
    private PersonRepository personRepository;

    @CrossOrigin
    @RequestMapping("/{id}")
    public Person getOnePerson(@PathVariable Long id) {
        return personRepository.findOne(id);
    }
}

for the controller

你也可以规定整个Controller都可以被请求，并且只规定特殊的域名。for example

src/main/java/com.mengyunzhi/controller/PersonController.java

@CrossOrigin(origins = "http://localhost:9000")
@RestController
@RequestMapping("/Person")
public class PersonController {

    @Autowired
    private PersonRepository personRepository;

    @RequestMapping("/{id}")
    public Person getOnePerson(@PathVariable Long id) {
        return personRepository.findOne(id);
    }
}

上面的例子中的CORS的实现都依赖于retrieve()和remove()方法，你也可以自己定制自己的CORS配置通过@CrossOrigin属性。

both of controller and method

你也可以同时使用controller-level和method-level CORS配置信息,Spring将结合二者得出配置信息。for example:

src/main/java/com.mengyunzhi/controller/PersonController.java

@CrossOrigin(maxAge = 3600)
@RestController
@RequestMapping("/Person")
public class PersonController {

    @Autowired
    private PersonRepository personRepository;

    @CrossOrigin(origins = "http://localhost:9000")
    @RequestMapping("/{id}")
    public Person getOnePerson(@PathVariable Long id) {
        return personRepository.findOne(id);
    }
}

Global CORS configuration

除了细粒度，基于注解的配置你也可以直接配置全局的CORS配置。默认允许all origins 和 GET, HEAD, POST方法。

JavaConfig

a sample example:

src/main/java/com.mengyunzhi/config/WebConfig.java

@Configuration
@EnableWebMvc
public class WebConfig extends WebMvcConfigurerAdapter{

    @Override
    public void addCorsMappings(CorsRegistry corsRegistry) {

        //允许所以域名访问
        corsRegistry.addMapping("/**");
    }
}

你也可以配置相关的属性：

@Configuration
@EnableWebMvc
public class WebConfig extends WebMvcConfigurerAdapter{

    @Override
    public void addCorsMappings(CorsRegistry corsRegistry) {

        //允许所以域名访问
        corsRegistry.addMapping("/**")
                .allowedHeaders("*")
                .allowedOrigins("*")
                .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD")
                .maxAge(3600);
    }
}

Filter based CORS support

TODO:继续看书

CORS of REST of Spring

由于repository rest与MVC是由两个类单独控制,所以需要分别进行配置。

src/main/java/com.mengyunzhi/config/GlobalRepositoryRestConfigurer

@Configuration
public class GlobalRepositoryRestConfigurer extends RepositoryRestConfigurerAdapter{

   @Override
    public void configureRepositoryRestConfiguration(RepositoryRestConfiguration config) {

       config.getCorsRegistry()
               .addMapping("/**")          		// 映射信息
               .allowedOrigins("*")                     // 跨域信息
               .allowedHeaders("*")                     // 允许的头信息
               .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD"); // 允许的请求方法信息
   }

}

参考文章

CORS Support Spring DOCS
Class RepositoryRestConfigurerAdapterSpring DOCS
跨域资源共享 CORS 详解 阮一峰的网络日志