Springboot+ajax cross-domain security problem and its solving method

0. Cross-domain security issues

In the course of learning springboot, we encountered such a problem. At that time, the rest service interface was developed with Springboot, and then the data was obtained with Ajax request to realize the separation of front and back. However, at the front-end request, the data that should be displayed is always not displayed. From the browser console error (for example), should be encountered cross-domain security issues.

first, why do cross-domain security issues occur?

To solve this problem, you first need to know why this problem occurs. By understanding, the cause of cross-domain security problems is generally the following three issues: the browser received the correct return data but made a limit, the request is XMLHttpRequest request instead of JSON request, the front-end protocol domain name port, etc. caused the cross-domain.

second, how to solve the cross-domain security problems that arise? According to the above three issues, to solve the problem of cross-domain security. 1. Let the browser do not limitdifferent browsers should have different methods for setting parameters. Google Chrome, for example, is disable-web-security. However, we should not let our users in the application to change the browser parameters, so I did not use this method. 2. Making a request to send is not a XMLHttpRequest requestafter searching the Internet, many solutions are to set the request data type to JSONP. However, one problem is that if the JSONP type is requested, then the backend service interface should be changed, because the request with the JSONP data type is not XHR but not json but script. And I want to use JSON to implement the front and back end of the transfer of data, and JSONP to get out of the request is not supported (I want to use rest ah how can be wood post\put\delete), so I did not use this method. 3. Resolve the cross-domain caused by different front-end protocol domain ports, etc. resolving cross-domains can be considered from the client or from the server side. From the client's perspective, you can use a proxy to transform the server-side request into a request from the same domain as the client to resolve cross-domain issues, and from the server side, consider adding fields to the response. Because the server is what I write with springboot, and adding fields does not need to be changed for each interface, just add an interceptor to add a return header to all the returns. Of course, if it is to call someone else's home interface, can not change the service side of others, it can only consider the client side to add Proxy. depending on the console's error message, you can add the request header Access-control-allow-origin to the server to tell the browser server that this cross-domain is allowed. The way I use it in Springboot is to add a filter to intercept all requests in the back header to include the Access-control-allow-origin and Access-control-allow-method fields. The case code is as follows (for reference only):

1 /*Springboot Startup class*/2  PackageNet.tsingmo.SpringBootDemo;3 4 Importorg.springframework.boot.SpringApplication;5 Importorg.springframework.boot.autoconfigure.SpringBootApplication;6 ImportOrg.springframework.boot.web.servlet.FilterRegistrationBean;7 ImportOrg.springframework.context.annotation.Bean;8 9 @SpringBootApplicationTen  Public classspringbootdemoapplication { One  A      Public Static voidMain (string[] args) { -Springapplication.run (springbootdemoapplication.class, args); -     } the  - @Bean -      PublicFilterregistrationbean Filterregistrationbean () { -Filterregistrationbean Filterregistrationbean =NewFilterregistrationbean (); +Filterregistrationbean.addurlpatterns ("/*"); -Filterregistrationbean.setfilter (NewResponseheaderfilter ()); +         returnFilterregistrationbean; A     } at}

1 /*Responseheaderfilter class*/2  PackageNet.tsingmo.SpringBootDemo;3 4 Importjavax.servlet.*;5 ImportJavax.servlet.http.HttpServletResponse;6 Importjava.io.IOException;7 8  Public classResponseheaderfilterImplementsJavax.servlet.Filter {9 @OverrideTen      Public voidInit (Filterconfig filterconfig)throwsservletexception {} One  A @Override -      Public voidDoFilter (ServletRequest servletrequest, Servletresponse servletresponse, Filterchain filterchain)throwsIOException, servletexception { -HttpServletResponse HttpServletResponse =(HttpServletResponse) servletresponse; theHttpservletresponse.addheader ("Access-control-allow-origin", "*"); -Httpservletresponse.addheader ("Access-control-allow-methods", "GET"); - Filterchain.dofilter (ServletRequest, httpservletresponse); -     } +  - @Override +      Public voiddestroy () {} A}

Springboot+ajax cross-domain security problem and its solving method