之前使用SpringBoot 1.5.x,配置跨域一般是直接在controller或是在某一个方法上添加 @CrossOrigin 注解即可,如下代码
/**
* @author chenws
* @decription
* @date 2018/10/18
*/
@RestController
@RequestMapping(value = "xxx")
@CrossOrigin(maxAge = 3600)
public class BuildShapeController {
@CrossOrigin(maxAge = 3600)
@ApiOperation("xxx")
@RequestMapping(value = "/xxx",method = RequestMethod.POST)
public ResponseVO<List<xxx>> listShape(@RequestBody xxx xxx){}
}
没有任何问题,使用的非常好,但是在spring boot 2.0中(springframework5.0.2后),以上方法行不通,这样设置无效。在网上找了n篇文章,都是按照SpringBoot 1.x的方法介绍的,始终无法解决,知道发现碩果兄的这篇文章,问题才得以解决,再次表示万分感谢。文章地址:SpringBoot 2.0 @CrossOrigin 无法跨域问题
查看@CrossOrigin源码
springframework4.3.12:
/**
* Whether the browser should include any cookies associated with the
* domain of the request being annotated.
* <p>Set to {@code "false"} if such cookies should not included.
* An empty string ({@code ""}) means <em>undefined</em>.
* {@code "true"} means that the pre-flight response will include the header
* {@code Access-Control-Allow-Credentials=true}.
* <p>If undefined, credentials are allowed.
*/
String allowCredentials() default "";
springframework5.0.2
/**
* Whether the browser should send credentials, such as cookies along with
* cross domain requests, to the annotated endpoint. The configured value is
* set on the {@code Access-Control-Allow-Credentials} response header of
* preflight requests.
* <p><strong>NOTE:</strong> Be aware that this option establishes a high
* level of trust with the configured domains and also increases the surface
* attack of the web application by exposing sensitive user-specific
* information such as cookies and CSRF tokens.
* <p>By default this is not set in which case the
* {@code Access-Control-Allow-Credentials} header is also not set and
* credentials are therefore not allowed.
*/
String allowCredentials() default "";
By default this is not set in which case the {@code Access-Control-Allow-Credentials} header is also not set and credentials are therefore not allowed.
5.0.2后,allowCredentials默认为false了,再看 DefaultCorsProcessor
if (Boolean.TRUE.equals(config.getAllowCredentials())) {
responseHeaders.setAccessControlAllowCredentials(true);
}
allowCredentials为true时,返回的响应头AccessControlAllowCredentials属性才设置为true。
因此凡是客户端带上cookie的请求,都不能实现跨域。
解决办法:
在注解中设置allowCredentials为true即可。
@CrossOrigin(allowCredentials="true",maxAge = 3600)
至此,问题完美解决