跨源资源共享(CORS)概念、实现（用Spring）、起源介绍

本文内容引用自：

https://howtodoinjava.com/spring5/webmvc/spring-mvc-cors-configuration/

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

基本概念

　　　跨源资源共享(Cross-Origin Resource Sharing, CORS)是一种机制，它使用额外的HTTP头文件告诉浏览器，让在一个源(域)运行的web应用程序有权访问来自不同源服务器的选定资源。当web应用程序请求源(域、协议和端口)与自己的源不同的资源时，它将执行跨源HTTP请求。

跨源请求的示例：

　　来自http://domain-a.com的Web应用程序的前端JavaScript代码使用XMLHttpRequest来请求http://api.domain-b.com/data.json 。

安全策略

　　出于安全原因，浏览器限制从脚本内发起的跨源HTTP请求。例如，XMLHttpRequest与提取API遵循同源策略。这意味着使用这些API的Web应用程序只能从加载应用程序的同一源请求HTTP资源，除非来自其他来源的响应包含正确的CORS标头。

implementation in Spring

1. Spring CORS – Method level with @CrossOrigin

Spring MVC provides @CrossOrigin annotation. This annotation marks the annotated method or type as permitting cross origin requests.

1.1. Spring CORS allow all

By default, @CrossOrigin allows all origins, all headers, the HTTP methods specified in the @RequestMapping annotation and a maxAge of 30 minutes.

You can override default CORS settings by giving value to annotation attributes :

ATTRIBUTE	DESCRIPTION
`origins`	List of allowed origins. It’s value is placed in the `Access-Control-Allow-Origin` header of both the pre-flight response and the actual response. – `*` – means that all origins are allowed. – If undefined, all origins are allowed.
`allowedHeaders`	List of request headers that can be used during the actual request. Value is used in preflight’s response header `Access-Control-Allow-Headers`. – `*` – means that all headers requested by the client are allowed. – If undefined, all requested headers are allowed.
`methods`	List of supported HTTP request methods. If undefined, methods defined by `RequestMapping` annotation are used.
`exposedHeaders`	List of response headers that the browser will allow the client to access. Value is set in actual response header `Access-Control-Expose-Headers`. – If undefined, an empty exposed header list is used.
`allowCredentials`	It determine whether browser should include any cookies associated with the request. – `false` – cookies should not included. – `""` (empty string) – means undefined. – `true` – pre-flight response will include the header `Access-Control-Allow-Credentials` with value set to true. – If undefined, credentials are allowed.
`maxAge`	maximum age (in seconds) of the cache duration for pre-flight responses. Value is set in header `Access-Control-Max-Age`. – If undefined, max age is set to 1800 seconds (30 minutes).

1.2. @CrossOrigin at Class/Controller Level

HomeController.java
`@CrossOrigin(origins =` `"", allowedHeaders =` `"")` `@Controller` `public` `class` `HomeController` `{` `@GetMapping(path="/")` `public` `String homeInit(Model model) {` `return` `"home";` `}` `}`

Read More – Spring 5 MVC Example

1.3. @CrossOrigin at Method Level

HomeController.java
`@Controller` `public` `class` `HomeController` `{` `@CrossOrigin(origins =` `"", allowedHeaders =` `"")` `@GetMapping(path="/")` `public` `String homeInit(Model model) {` `return` `"home";` `}` `}`

1.4. @CrossOrigin Overridden at Method Level

homeInit() method will be accessible only from domain http://example.com. Rest other methods in HomeController will be accessible from all domains.

HomeController.java
`@Controller` `@CrossOrigin(origins =` `"", allowedHeaders =` `"")` `public` `class` `HomeController` `{` `@CrossOrigin(origins =` `"http://example.com")` `@GetMapping(path="/")` `public` `String homeInit(Model model) {` `return` `"home";` `}` `}`

2. Spring CORS – Global CORS configuration

2.1. Spring MVC CORS with WebMvcConfigurerAdapter

To enable CORS for the whole application, use WebMvcConfigurerAdapter to add CorsRegistry.

CorsConfiguration.java
`@Configuration` `@EnableWebMvc` `public` `class` `CorsConfiguration` `extends` `WebMvcConfigurerAdapter` `{` `@Override` `public` `void` `addCorsMappings(CorsRegistry registry) {` `registry.addMapping("/**")` `.allowedMethods("GET",` `"POST");` `}` `}`

2.2. Spring Boot CORS with WebMvcConfigurer

In spring boot application, it is recommended to just declare a WebMvcConfigurer bean.

CorsConfiguration.java
`@Configuration` `public` `class` `CorsConfiguration` `{` `@Bean` `public` `WebMvcConfigurer corsConfigurer()` `{` `return` `new` `WebMvcConfigurerAdapter() {` `@Override` `public` `void` `addCorsMappings(CorsRegistry registry) {` `registry.addMapping("/**");` `}` `};` `}` `}`

2.3. CORS with Spring Security

To enable CORS support through Spring security, configure CorsConfigurationSource bean and use HttpSecurity.cors() configuration.

WebSecurityConfig.java
`@EnableWebSecurity` `public` `class` `WebSecurityConfig` `extends` `WebSecurityConfigurerAdapter {` `@Override` `protected` `void` `configure(HttpSecurity http)` `throws` `Exception {` `http.cors().and()` `//other config` `}` `@Bean` `CorsConfigurationSource corsConfigurationSource()` `{` `CorsConfiguration configuration =` `new` `CorsConfiguration();` `configuration.setAllowedOrigins(Arrays.asList("https://example.com"));` `configuration.setAllowedMethods(Arrays.asList("GET","POST"));` `UrlBasedCorsConfigurationSource source =` `new` `UrlBasedCorsConfigurationSource();` `source.registerCorsConfiguration("/**", configuration);` `return` `source;` `}` `}`