Java Spring Boot 2.0 cross-domain issues

Cross-domain

A resource initiates a cross-domain HTTP request (cross-site HTTP requests) when it requests a resource that is from a different domain name than the first resource that it provides itself.

For example, a WEB application in Domain A (http://domaina.example) introduces a picture resource (http://domainb.foo/image.jpg) from the domain name B (http://domainb.foo) site via tags. The Web app for domain A will cause the browser to initiate a cross-site HTTP request. In today's WEB development, the use of cross-site HTTP requests to load a variety of resources, including CSS, graphics, JavaScript scripts, and other classes of resources, has become a common and popular way.

As you know, the browser restricts the cross-site requests that originate in the script for security reasons. For example, using an XMLHttpRequest object to initiate an HTTP request must follow the same Origin policy. Specifically, a WEB application can only initiate an HTTP request to the source domain name it loads by using the XMLHttpRequest object, and cannot initiate a request to any other domain name. In order to develop a more powerful, richer, and more secure Web application, developers are eager to become more and more powerful and richer in Web applications without losing security. For example, you can use XMLHttpRequest to initiate a cross-site HTTP request. (This paragraph describes the cross-domain inaccuracy, cross-domain not the browser restricts the originating of cross-site requests, but the cross-site requests can be initiated normally, but the returned results are blocked by the browser.) The best example is the CSRF cross-site attack principle, where the request is sent to the backend server regardless of cross-domain! Note: Some browsers do not allow cross-domain access to HTTP from an HTTPS domain, such as Chrome and Firefox, which is a special case when requests are intercepted when the request is not issued. ）

Morehttps://developer.mozilla.org/zh-CN/docs/Web/HTTP/Access_control_CORS

CROS

CORS is all called Cross Origin Resource Sharing (inter-domain resource sharing), and the server simply adds the relevant response header information to enable the client to make AJAX cross-domain requests.

@CrossOrigin

1. All requests on the controller directly using the controller can be cross-domain,origins = "*" means all can request

1@CrossOrigin (Origins = "Http://domain2.com", MaxAge = 3600)2 @RestController3@RequestMapping ("/account")4  Public classAccountController {5 6@RequestMapping ("/{id}")7      PublicAccount Retrieve (@PathVariable Long ID) {8         // ...9     }Ten  One@RequestMapping (method = requestmethod.delete, Path = "/{id}") A      Public voidRemove (@PathVariable Long ID) { -         // ... -     } the}

2. Use on methods

1@CrossOrigin (MaxAge = 3600)2 @RestController3@RequestMapping ("/account")4  Public classAccountController {5 6@CrossOrigin ("http://domain2.com")7@RequestMapping ("/{id}")8      PublicAccount Retrieve (@PathVariable Long ID) {9         // ...Ten     } One  A@RequestMapping (method = requestmethod.delete, Path = "/{id}") -      Public voidRemove (@PathVariable Long ID) { -         // ... the     } -}

Another method:

The main purpose of Corsfilter is to add relevant information headers, which can also be implemented using filter.

1 @Configuration2  Public classbeanconfiguration {3 4 @Bean5      PublicCorsfilter Corsfilter () {6         FinalUrlbasedcorsconfigurationsource Urlbasedcorsconfigurationsource =NewUrlbasedcorsconfigurationsource ();7         FinalCorsconfiguration corsconfiguration =Newcorsconfiguration ();8Corsconfiguration.setallowcredentials (true);9Corsconfiguration.addallowedorigin ("*");TenCorsconfiguration.addallowedheader ("*"); OneCorsconfiguration.addallowedmethod ("*"); AUrlbasedcorsconfigurationsource.registercorsconfiguration ("/**", corsconfiguration); -         return NewCorsfilter (urlbasedcorsconfigurationsource); -     } the  -}

• Access-control-allow-origin: The client domain name that is allowed to be accessed, for example: http://web.xxx.com, if *, is accessible from any domain, without any restrictions.
• Access-control-allow-methods: Allows access to the method name, multiple method names are separated by commas, for example: Get,post,put,delete,options.
• Access-control-allow-credentials: Whether to allow requests with authentication information, to obtain a cookie under the client domain, you need to set it to true.
• Access-control-allow-headers: A client request header that allows server access, with multiple request headers separated by commas, for example: Content-type.
• Access-control-expose-headers: A server-side response header that allows client access, with multiple response headers separated by commas.

Java Spring Boot 2.0 cross-domain issues