Spring MVC cross-domain request processing--spring 4.2 or more

Controller Method CORS Configuration

You can add to your @RequestMapping annotated handler method a @CrossOrigin annotation in order to enable CORS on it (by default @CrossOrigin allo WS all Origins and the HTTP methods specified in the @RequestMapping annotation):

@RestController@RequestMapping("/account")Public Class AccountController {@CrossOrigin@RequestMapping("/{id}")Public AccountRetrieve(@PathVariable LongId) {// ...} @RequestMapping  ( Method = requestmethod., value =  "/{id}" public void  Remove ( @PathVariable   Long Id)  {//... }}       /span>                

It is also possible to enable CORS for the whole controller:

@CrossOrigin(Origins= "Http://domain2.com",MaxAge= 3600)@RestController@RequestMapping("/account")Public Class AccountController {@RequestMapping("/{id}")Public AccountRetrieve(@PathVariable LongId) {// ...} @RequestMapping  ( Method = requestmethod., value =  "/{id}" public void  Remove ( @PathVariable   Long Id)  {//... }}       /span>                

In this example CORS retrieve() remove() are enabled for both and handler methods, and can also see how can Customi Ze the CORS configuration using @CrossOrigin attributes.

You can even with both controller and method level CORS configurations, Spring would then combine both annotation attributes To create a merged CORS configuration.

@CrossOrigin(MaxAge= 3600)@RestController@RequestMapping("/account")Public Class AccountController {@CrossOrigin(Origins= "Http://domain2.com")@RequestMapping("/{id}")Public AccountRetrieve(@PathVariable LongId) {// ...} @RequestMapping  ( Method = requestmethod., value =  "/{id}" public void  Remove ( @PathVariable   Long Id)  {//... }}       /span>                

Global CORS Configuration

In addition to fine-grained, annotation-based configuration you ' ll probably want to define some global CORS configuration as well. This was similar to using filters but can being declared withing Spring MVC and combined with fine-grained @CrossOrigin configuration . By default all Origins GET and, HEAD and POST methods is allowed.

Javaconfig

Enabling CORS for the whole application are as simple as:

@Configuration@EnableWebMvcpublic class webconfig  extends webmvcconfigureradapter { @Override public void addcorsmappings  (corsregistry Registry)  {registry.}}          /span>                

You can easily the change any properties, as-well as-only apply this CORS configuration to a specific path pattern:

@Configuration@EnableWebMvcPublic Class Webconfig Extends Webmvcconfigureradapter {@OverridePublic voidAddcorsmappings(CorsregistryRegistry) {Registry.Addmapping("/api/**").Allowedorigins("Http://domain2.com").Allowedmethods("PUT", "DELETE"). ( "header1" ,  "Header2" ,  "Header3" . ( "header1" ,  "Header2" ) .false3600}}          /span>                 

XML namespace

It is also possible to configure CORS with the MVC XML namespace.

This minimal XML configuration enable CORS in /** path pattern with the same default properties than the Javaconfig one:

<mvc:cors><mvc:mapping path="/**" /></mvc:cors>

It is also possible to declare several CORS mappings with customized properties:

<mvc:cors><mvc:mapping Path="/api/**"Allowed-origins="Http://domain1.com, http://domain2.com"Allowed-methods="GET, PUT"allowed-headers= "header1, Header2, Header3" exposed-headers= "header1, Header2"  allow-credentials= "false" < Span class= "ATN" >max-age= "123"  />< Span class= "PLN" ><mvc:mapping path=< Span class= "ATV" > "/resources/**" allowed-origins=  "http://domain1.com"  /></MVC:CORS>              

How does does it work?

CORS requests (including preflight ones with an OPTIONS method) is automatically dispatched to the various HandlerMapping s Registere D. They handle cors preflight requests and intercept cors simple and actual requests thanks to a corsprocessor implementat Ion (Defaultcorsprocessor by default) in order to add the relevant CORS response headers (like Access-Control-Allow-Origin ). Corsconfiguration allows specify how the CORS requests should is processed:allowed origins, headers, methods, etc. It can provided in various ways:

• AbstractHandlerMapping#setCorsConfiguration()Allows to specify a with Map severalcorsconfiguration mapped on path patterns like/api/**
• Subclasses can provide their own by CorsConfiguration overriding AbstractHandlerMapping#getCorsConfiguration(Object, HttpServletRequest) method
• Handlers can implement CorsConfigurationSource interface (like Today ResourceHttpRequestHandler does) in order to provide a corsconfiguration for each request.

Spring MVC cross-domain request processing--spring 4.2 or more