cross domain
A resource will initiate a Cross-site HTTP request when it requests a resource from a different domain name than the first resource it provided itself.
For example, a web application of domain name A ( http://domaina.example ) imports an image resource ( http://domainb.foo/image ) of domain B ( http://domainb.foo ) through a tag .jpg ), the Web application of domain name A will cause the browser to initiate a cross-site HTTP request. In today's web development, it has become a common and popular way to load various resources (including CSS, images, JavaScript scripts, and other resources) using cross-site HTTP requests.
As you all know, for security reasons, browsers restrict cross-site requests made in scripts. For example, XMLHttpRequestmaking HTTP requests using objects must obey the same-origin policy. Specifically, a Web application can and can only use the XMLHttpRequest object to make HTTP requests to the source domain name it loads from, but not to any other domain name. In order to develop more powerful, richer and more secure Web applications, developers are eager to make Web application technologies more powerful and richer without losing security. For example, you can use XMLHttpRequest to initiate cross-site HTTP requests. (This description of cross-domain is inaccurate. Cross-domain does not mean that the browser restricts the initiation of cross-site requests, but that cross-site requests can be initiated normally, but the returned result is intercepted by the browser. The best example is the CSRF cross-site attack principle, The request is sent to the backend server, whether it is cross-domain or not! Note: Some browsers do not allow cross-domain access to HTTP from HTTPS domains, such as Chrome and Firefox. These browsers will intercept the request before it is sent. This is a special case.)
more:https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Access_control_CORS
CROS
The full name of CORS is Cross Origin Resource Sharing (Cross-Origin Resource Sharing). The server only needs to add the relevant response header information to realize the AJAX cross-domain request from the client.
@CrossOrigin
- All requests on the Controller can be used directly on the Controller, and origins = "*" means that all requests can be made
1 @CrossOrigin(origins = "http://domain2.com", maxAge = 3600) 2 @RestController 3 @RequestMapping("/account") 4 public class AccountController { 5 6 @RequestMapping("/{id}") 7 public Account retrieve(@PathVariable Long id) { 8 // ... 9 } 10 11 @RequestMapping(method = RequestMethod.DELETE, path = "/{id}") 12 public void remove(@PathVariable Long id) { 13 // ... 14 } 15 }
2. Use on the method
1 @CrossOrigin(maxAge = 3600) 2 @RestController 3 @RequestMapping("/account") 4 public class AccountController { 5 6 @CrossOrigin("http://domain2.com") 7 @RequestMapping("/{id}") 8 public Account retrieve(@PathVariable Long id) { 9 // ... 10 } 11 12 @RequestMapping(method = RequestMethod.DELETE, path = "/{id}") 13 public void remove(@PathVariable Long id) { 14 // ... 15 } 16 }
Another method:
The main purpose of CorsFilter is to add relevant information headers, which can also be achieved using Filter.
1 @Configuration 2 public class BeanConfiguration { 3 4 @Bean 5 public CorsFilter corsFilter() { 6 final UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource(); 7 final CorsConfiguration corsConfiguration = new CorsConfiguration(); 8 corsConfiguration.setAllowCredentials(true); 9 corsConfiguration.addAllowedOrigin("*"); 10 corsConfiguration.addAllowedHeader("*"); 11 corsConfiguration.addAllowedMethod("*"); 12 urlBasedCorsConfigurationSource.registerCorsConfiguration("/**", corsConfiguration); 13 return new CorsFilter(urlBasedCorsConfigurationSource); 14 } 15 16 }
- Access-Control-Allow-Origin: The client domain name that is allowed to access, for example: http://web.xxx.com , if it is *, it means that it can be accessed from any domain, that is, there is no restriction.
- Access-Control-Allow-Methods: Method names that allow access. Multiple method names are separated by commas, for example: GET, POST, PUT, DELETE, OPTIONS.
- Access-Control-Allow-Credentials: Whether to allow requests with authentication information, to get cookies under the client domain, you need to set it to true.
- Access-Control-Allow-Headers: Client request headers that allow server access. Multiple request headers are separated by commas, for example: Content-Type.
- Access-Control-Expose-Headers: The server-side response headers that the client is allowed to access. Multiple response headers are separated by commas.