原文地址:https://spring.io/blog/2015/06/08/cors-support-in-spring-framework

For security reasons, browsers prohibit AJAX calls to resources residing outside the current origin. For example, as you’re checking your bank account in one tab, you could have the evil.com website in another tab. The scripts from evil.com shouldn’t be able to make AJAX requests to your bank API (withdrawing money from your account!) using your credentials.

Cross-origin resource sharing (CORS) is a W3C specification implemented by most browsers that allows you to specify in a flexible way what kind of cross domain requests are authorized, instead of using some less secured and less powerful hacks like IFrame or JSONP.

Spring Framework 4.2 GA provides first class support for CORS out-of-the-box, giving you an easier and more powerful way to configure it than typical filter based solutions.

Spring MVC provides high-level configuration facilities, described bellow.

Controller method CORS configuration

You can add to your @RequestMapping annotated handler method a @CrossOrigin annotation in order to enable CORS on it (by default @CrossOrigin allows all origins and the HTTP methods specified in the @RequestMapping annotation):

@RestController

@RequestMapping("/account")

public class AccountController {

	@CrossOrigin

	@RequestMapping("/{id}")

	public Account retrieve(@PathVariable Long id) {

		// ...

	}

	@RequestMapping(method = RequestMethod.DELETE, value = "/{id}")

	public void remove(@PathVariable Long id) {

		// ...

	}

}

It is also possible to enable CORS for the whole controller:

@CrossOrigin(origins = "http://domain2.com", maxAge = 3600)

@RestController

@RequestMapping("/account")

public class AccountController {

	@RequestMapping("/{id}")

	public Account retrieve(@PathVariable Long id) {

		// ...

	}

	@RequestMapping(method = RequestMethod.DELETE, value = "/{id}")

	public void remove(@PathVariable Long id) {

		// ...

	}

}

In this example CORS support is enabled for both retrieve() and remove() handler methods, and you can also see how you can customize the CORS configuration using @CrossOrigin attributes.

You can even use both controller and method level CORS configurations, Spring will then combine both annotation attributes to create a merged CORS configuration.

@CrossOrigin(maxAge = 3600)

@RestController

@RequestMapping("/account")

public class AccountController {

	@CrossOrigin(origins = "http://domain2.com")

	@RequestMapping("/{id}")

	public Account retrieve(@PathVariable Long id) {

		// ...

	}

	@RequestMapping(method = RequestMethod.DELETE, value = "/{id}")

	public void remove(@PathVariable Long id) {

		// ...

	}

}

Global CORS configuration

In addition to fine-grained, annotation-based configuration you’ll probably want to define some global CORS configuration as well. This is similar to using filters but can be declared withing Spring MVC and combined with fine-grained @CrossOrigin configuration. By default all origins and GETHEAD and POST methods are allowed.

JavaConfig

Enabling CORS for the whole application is as simple as:

@Configuration

@EnableWebMvc

public class WebConfig extends WebMvcConfigurerAdapter {

	@Override

	public void addCorsMappings(CorsRegistry registry) {

		registry.addMapping("/**");

	}

}

You can easily change any properties, as well as only apply this CORS configuration to a specific path pattern:

@Configuration

@EnableWebMvc

public class WebConfig extends WebMvcConfigurerAdapter {

	@Override

	public void addCorsMappings(CorsRegistry registry) {

		registry.addMapping("/api/**")

			.allowedOrigins("http://domain2.com")

			.allowedMethods("PUT", "DELETE")

			.allowedHeaders("header1", "header2", "header3")

			.exposedHeaders("header1", "header2")

			.allowCredentials(false).maxAge(3600);

	}

}

XML namespace

It is also possible to configure CORS with the mvc XML namespace.

This minimal XML configuration enable CORS on /** path pattern with the same default properties than the JavaConfig one:

<mvc:cors>

	<mvc:mapping path="/**" />

</mvc:cors>

It is also possible to declare several CORS mappings with customized properties:

<mvc:cors>

	<mvc:mapping path="/api/**"

		allowed-origins="http://domain1.com, http://domain2.com"

		allowed-methods="GET, PUT"

		allowed-headers="header1, header2, header3"

		exposed-headers="header1, header2" allow-credentials="false"

		max-age="123" />

	<mvc:mapping path="/resources/**"

		allowed-origins="http://domain1.com" />

</mvc:cors>

How does it work?

CORS requests (including preflight ones with an OPTIONS method) are automatically dispatched to the various HandlerMappings registered. They handle CORS preflight requests and intercept CORS simple and actual requests thanks to a CorsProcessor implementation (DefaultCorsProcessor by default) in order to add the relevant CORS response headers (like Access-Control-Allow-Origin). CorsConfiguration allows you to specify how the CORS requests should be processed: allowed origins, headers, methods, etc. It can be provided in various ways:

Spring Boot integration

CORS support will be available in the upcoming Spring Boot 1.3 release, and is already available in the 1.3.0.BUILD-SNAPSHOT builds.

Using controller method CORS configuration with @CrossOrigin annotations in your Spring Boot application does not require any specific configuration.

Global CORS configuration can be defined by registering a WebMvcConfigurer bean with a customized addCorsMappings(CorsRegistry) method:

@Configuration

public class MyConfiguration {

    @Bean

    public WebMvcConfigurer corsConfigurer() {

        return new WebMvcConfigurerAdapter() {

            @Override

            public void addCorsMappings(CorsRegistry registry) {

                registry.addMapping("/api/**");

            }

        };

    }

}

Filter based CORS support

In order to support CORS with filter-based security framework like Spring Security, or with other projects that does not support natively CORS yet like Spring Data REST, we also provide a CorsFilter. In that case, instead of using @CrossOrigin or WebMvcConfigurer#addCorsMappings(CorsRegistry), you can for example declare the filter as following in your Spring Boot application:

@Configuration

public class MyConfiguration {

	@Bean

	public FilterRegistrationBean corsFilter() {

		UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();

		CorsConfiguration config = new CorsConfiguration();

		config.setAllowCredentials(true);

		config.addAllowedOrigin("http://domain1.com");

		config.addAllowedHeader("*");

		config.addAllowedMethod("*");

		source.registerCorsConfiguration("/**", config);

		FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));

		bean.setOrder(0);

		return bean;

	}

}

CORS support in Spring Framework--官方的更多相关文章

  1. spring 官方下载地址(Spring Framework 3.2.x&Spring Framework 4.0.x)

    spring官方网站改版后,建议都是通过 Maven和Gradle下载,对不使用Maven和Gradle开发项目的,下载就非常麻烦,下给出Spring Framework jar官方直接下载路径: h ...

  2. Spring Framework jar官方直接下载路径

    SPRING官方网站改版后,建议都是通过 Maven和Gradle下载,对不使用Maven和Gradle开发项目的,下载就非常麻烦,下给出Spring Framework jar官方直接下载路径: h ...

  3. Spring 5.0.0.RC1 - CORS Support 【译文】

    3 CORS支持 3.1 介绍 出于安全考虑,浏览器禁止对当前源之外的资源进行AJAX调用.例如,当你在一个标签页检查你的银行账户时,你可以在另一个标签页打开evil.com的网站.在evil.com ...

  4. [转]spring 官方下载地址(Spring Framework 3.2.x&Spring Framework 4.0.x)

    SPRING官方网站改版后,建议都是通过 Maven和Gradle下载,对不使用Maven和Gradle开发项目的,下载就非常麻烦,下给出Spring Framework jar官方直接下载路径: h ...

  5. 浅谈对Spring Framework的认识

    Spring Framework,作为一个应用框架,官方的介绍如下: The Spring Framework provides a comprehensive programming and con ...

  6. Hello Spring Framework——依赖注入(DI)与控制翻转(IoC)

    又到年关了,还有几天就是春节.趁最后还有些时间,复习一下Spring的官方文档. 写在前面的话: Spring是我首次开始尝试通过官方文档来学习的框架(以前学习Struts和Hibernate都大多是 ...

  7. Spring Framework------>version4.3.5.RELAESE----->Reference Documentation学习心得----->关于spring framework中的beans

    Spring framework中的beans 1.概述 bean其实就是各个类实例化后的对象,即objects spring framework的IOC容器所管理的基本单元就是bean spring ...

  8. Spring Framework基础学习

    Spring Framework基础学习 Core support for dependency injection,transaction management,web applications,d ...

  9. Spring框架中文件目录遍历漏洞 Directory traversal in Spring framework

    官方给出的描述是Spring框架中报告了一个与静态资源处理相关的目录遍历漏洞.某些URL在使用前未正确加密,使得攻击者能够获取文件系统上的任何文件,这些文件也可用于运行SpringWeb应用程序的进程 ...

随机推荐

  1. Springboot - -web应用开发-Servlets, Filters, listeners

    一.Web开发使用 Controller 基本上可以完成大部分需求,但是我们还可能会用到 Servlet. Filter. Listener等等 二.在spring boot中的三种实现方式 方法一: ...

  2. python 面向对象 封装

    什么是封装 广义上的封装:代码的保护,面对对象的思想本身就是 只让自己的对象能调自己类的方法 狭义上的封装:将属性和方法藏起来 私有属性/私有方法 python没有真正意义的私有属性,可以通过调用实例 ...

  3. OpenJDK源码研究笔记(二)-Comparable和Comparator2个接口的作用和区别(一道经典的Java笔试面试题)

    Comparable和Comparator是JDK中定义的2个比较接口,很相似,但又有所不同. 这2个接口的作用和区别也是Java中的常见经典面试题. 下面我们就来详细介绍下这2个接口的定义.作用.区 ...

  4. Gitlab command line instructions

    Git global setup git config --global user.name "winner" git config --global user.email &qu ...

  5. Docker学习总结(10)——10分钟玩转Docker

    1.前言 进入云计算的时代,各大云提供商AWS,阿里云纷纷推出针对Docker的服务,现在Docker是十分火爆,那么Docker到底是什麽,让我们来体验一下. 2.Docker是什麽 Docker是 ...

  6. Mysql学习总结(26)——MySQL子查询

    mysql中虽然有连接查询实现多表连接查询,但是连接查询的性能很差,因此便出现了子查询. 1.理论上,子查询可以出现在查询语句的任何位置,但实际应用中多出现在from后和where后.出现在from后 ...

  7. HDU 4585 Shaolin(STL map)

    Shaolin Time Limit:1000MS     Memory Limit:32768KB     64bit IO Format:%I64d & %I64u Submit cid= ...

  8. python批量下载色影无忌和蜂鸟的图片 爬虫小应用

    有些冗余信息.由于之前測试正則表達式.所以没有把它们给移走.只是不影响使用. # -*- coding:utf-8 -*- import re,urllib,sys,os,time def getAl ...

  9. 【大话QT之十六】使用ctkPluginFramework插件系统构建项目实战

    "使用ctkPluginFramework插件系统构建项目实战",这篇文章是写博客以来最纠结的一篇文章. 倒不是由于技术都多么困难,而是想去描写叙述一个项目架构採用ctkPlugi ...

  10. bzoj1497: [NOI2006]最大获利(最大权闭合子图)

    1497: [NOI2006]最大获利 题目:传送门 题解: %%%关于最大权闭合子图很好的入门题 简单说一下什么叫最大权闭合子图吧...最简单的解释就是正权边连源点,负权边连汇点(注意把边权改为正数 ...