Preface:
When a resource request is it different domain from a first resource of its own provide, a resource initiates a cross-domain HTTP request (Cross-site HTTP request).
For example, domain A ( HTTP: //domaina.example ) of a Web application introduced by domain B <img> tag ( http://domainb.foo ) a picture resource site ( HTTP: // DomainB. foo / image.jpg), a domain name that the Web application will cause the browser to launch a cross-site HTTP request.
In today's Web development using cross-site HTTP request to load a variety of resources (including CSS, images, JavaScript scripts, and other types of resources), it has become a common and popular way.
As you know, for security reasons, the browser will limit cross-site request initiated by the script. For example, using the XMLHttpRequest object that originated the HTTP request must comply with the same origin policy . Specifically, Web applications, and can only use the XMLHttpRequest object is loaded to its source domain to initiate HTTP requests, but can not initiate a request to any other domain. In order to be able to develop a stronger, richer, more secure Web applications, developers eager without loss of security, Web application technology can be more powerful and rich. For example, you can use XMLHttpRequest
to initiate cross-site HTTP request. ( This description across domainsInaccurate, cross-domain does not restrict the browser to initiate cross-site request, but cross-site request may initiate normal, but the results returned by the browser blocked. The best example is the cross-site attacks CSRF principle, the request is sent to the back-end server, whether or not cross-domain ! Note: Some browsers do not allow HTTPS from the domain of cross-domain access to HTTP, such as Chrome and Firefox, the browser has not been issued at the time of the request will intercept the request, which is a special case. )
Quoted from:
https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Access_control_CORS
Method a: a new class or configration added CorsFilter Application of the method and CorsConfiguration
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.UrlBasedCorsConfigurationSource; import org.springframework.web.filter.CorsFilter; @Configuration public class CorsConfig { private CorsConfiguration buildConfig() { CorsConfiguration corsConfiguration = new CorsConfiguration(); corsConfiguration.addAllowedOrigin("*"); // 1允许任何域名使用 corsConfiguration.addAllowedHeader("*"); // 2允许任何头 corsConfiguration.addAllowedMethod("*");// 3 allows any method (post, get, etc.) @Bean return corsConfiguration; } public CorsFilter corsFilter() { UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/**", buildConfig()); // 4 return new CorsFilter(source); } }
Method Two: Use the Filter mode
import javax.servlet.*; import javax.servlet.http.HttpServletResponse; import java.io.IOException; @Component public class CorsFilter implements Filter { final static org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(CorsFilter.class); public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletResponse response = (HttpServletResponse) res; response.setHeader("Access-Control-Allow-Origin", "*"); response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE"); response.setHeader("Access-Control-Max-Age", "3600"); response.setHeader("Access-Control-Allow-Headers", "x-requested-with"); System.out.println ( "********************************* filter is used ****** ************************************************************ "); the chain.doFilter (REQ, RES); } public void the init (the FilterConfig FilterConfig) {} public void the destroy () {} }