CORS 即CrossOrigin Resources Sharing-跨域资源共享,它定义了一种浏览器和服务器交互的方式来确定是否允许跨域请求。它是一个妥协,有更大的灵活性,但比起简单地允许所有这些的要求来说更加安全。简言之,CORS就是为了让AJAX可以实现可控的跨域访问而生的。
注意 CORS也具有一定的风险性,比如请求中只能说明来自于一个特定的域但不能验证是否可信,而且也容易被第三方入侵。
实现CORS的几种方式
通过自定义Filter
public class CorsFilter implements Filter {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
httpServletResponse.setHeader("Access-Control-Allow-Origin", "*");
httpServletResponse.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
httpServletResponse.setHeader("Access-Control-Max-Age", "3600");
httpServletResponse.setHeader("Access-Control-Allow-Headers",
"Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With");
httpServletResponse.setHeader("Access-Control-Allow-Credentials", "true");// 允许cookie
chain.doFilter(request, response);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void destroy() {
}
}
corsFilter
com.springmvc.filter.CorsFilter
corsFilter
*.do
Spring3, Maven工程直接引用第三方依赖
com.thetransactioncompany
cors-filter
[ version ]
CORS
com.thetransactioncompany.cors.CORSFilter
cors.allowOrigin
*
cors.supportedMethods
GET, POST, HEAD, PUT, DELETE
cors.supportedHeaders
Accept, Origin, X-Requested-With, Content-Type, Last-Modified
cors.exposedHeaders
Set-Cookie
cors.supportsCredentials
true
CORS
/*
Spring 4.2以上
由于Spring 4.2版本开始,不需要引用第三方依赖:
在Spring MVC 中增加CORS支持非常简单,可以配置全局的规则,也可以使用@CrossOrigin注解进行细粒度的配置。
1.全局配置
配置在spring.xml文件中:
allowed-origins="http://domain1.com, http://domain2.com"
allowed-methods="GET, PUT"
allowed-headers="header1, header2, header3"
exposed-headers="header1, header2" allow-credentials="false"
max-age="123" />
allowed-origins="http://domain1.com" />
2.注解
可以作用在controller级别和method级别:
@CrossOrigin(origins = {"http://localhost:8585"}, maxAge = 4800, allowCredentials = "false")
@RestController
@RequestMapping("info")
public class PersonController {
@Autowired
private PersonService service;
@CrossOrigin(origins = {"http://localhost:8787"}, maxAge = 6000)
@RequestMapping("home")
public List showData() {
List list = service.getAllPerson();
return list;
}
@RequestMapping("nexthome")
public List showDataNext() {
List list = service.getAllPerson();
return list;
}
}
SpringBoot
@Configuration
@EnableWebMvc
public class AppConfig extends WebMvcConfigurerAdapter {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/info/**")
.allowedOrigins("http://localhost:8585", "http://localhost:8787")
.allowedMethods("POST", "GET", "PUT", "OPTIONS", "DELETE")
.allowedHeaders("X-Auth-Token", "Content-Type")
.exposedHeaders("custom-header1", "custom-header2")
.allowCredentials(false)
.maxAge(4800);
}
}
感谢阅读这份文档,希望有帮忙到您。