WebMvcConfigurer is a configuration interface provided by the SpringMVC framework, through which we can modify the underlying behavior of SpringMVC, such as interceptors, message converters, and static resource processing. On this basis, we can also use WebMvcConfigurer to implement cross-origin resource sharing (CORS) configuration.
1. Cross-domain resource sharing
The so-called cross-domain resource sharing means that a web page under one domain name requests resources under another domain name. This request is a cross-domain request. Browsers prohibit cross-origin requests, so some methods are needed to solve this problem. Using CORS is one of the most common ways.
2. Use WebMvcConfigurer to configure CORS
WebMvcConfigurer provides the addCorsMappings method to implement CORS configuration. Here is a simple example:
@Configuration
public class WebConfig implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**").allowedOrigins("*");
}
}
The above code configures that all routes can make cross-domain requests. The allowedOrigins method accepts a String array to specify the domain names that allow requests. If '*' is passed in, it means that requests are allowed for all domain names.
3. Detailed configuration of CORS
- Allowed Request Methods
By default, CORS only allows GET, POST and HEAD requests. If you need to allow other types of requests, you can use the allowedMethods method:
@Configuration
public class WebConfig implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/api/**")
.allowedOrigins("http://localhost:8080")
.allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
}
}
The above code configures that all requests under the /api path can be cross-domain requests, and the allowed methods include GET, POST, PUT, DELETE, and OPTIONS.
- Allowed request headers
By default, CORS only allows some basic request headers to be sent, such as Content-Type, Accept, and Authorization. If you need to customize the request header, you need to use the allowedHeaders method:
@Configuration
public class WebConfig implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/api/**")
.allowedOrigins("http://localhost:8080")
.allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
.allowedHeaders("Authorization", "Content-Type", "Accept")
}
}
The above code configures the custom request headers that are allowed to be sent, including Authorization, Content-Type, and Accept.
- Exposed response headers
In addition to request headers, browsers also filter out some response headers, such as Set-Cookie and Authorization, to ensure user security. If you need to expose some specific response headers to the client, you need to use the exposedHeaders method:
@Configuration
public class WebConfig implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/api/**")
.allowedOrigins("http://localhost:8080")
.allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
.allowedHeaders("Authorization", "Content-Type", "Accept")
.exposedHeaders("Authorization")
}
}
The above code is configured to expose the Authorization response header to the client. If exposedHeaders is not specified, the response headers will not be exposed to the client by default.
Four. Summary
Configuring cross-domain through WebMvcConfigurer can easily configure CORS into SpringMVC applications. In actual development, it should be flexibly configured according to the actual situation to ensure data security.
reprint articlehttps://www.python100.com/html/BZX1V61K2C59.html