Preface:
When a resource request is it different domain from a first resource of its own provide, a resource initiates a cross-domain HTTP request (Cross-site HTTP request).
For example, domain A ( HTTP: //domaina.example ) of a Web application introduced by domain B <img> tag ( http://domainb.foo ) a picture resource site ( HTTP: // DomainB. foo / image.jpg), a domain name that the Web application will cause the browser to launch a cross-site HTTP request.
In today's Web development using cross-site HTTP request to load a variety of resources (including CSS, images, JavaScript scripts, and other types of resources), it has become a common and popular way.
As you know, for security reasons, the browser will limit cross-site request initiated by the script. For example, using the XMLHttpRequest object that originated the HTTP request must comply with the same origin policy . Specifically, Web applications, and can only use the XMLHttpRequest object is loaded to its source domain to initiate HTTP requests, but can not initiate a request to any other domain. In order to be able to develop a stronger, richer, more secure Web applications, developers eager without loss of security, Web application technology can be more powerful and rich. For example, you can use XMLHttpRequest
to initiate cross-site HTTP request. ( This description across domainsInaccurate, cross-domain does not restrict the browser to initiate cross-site request, but cross-site request may initiate normal, but the results returned by the browser blocked. The best example is the cross-site attacks CSRF principle, the request is sent to the back-end server, whether or not cross-domain ! Note: Some browsers do not allow HTTPS from the domain of cross-domain access to HTTP, such as Chrome and Firefox, the browser has not been issued at the time of the request will intercept the request, which is a special case. )
Quoted from:
https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Access_control_CORS
Method a: a new class or configration added CorsFilter Application of the method and CorsConfiguration
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
@Configuration
public class CorsConfig {
private CorsConfiguration buildConfig() {
CorsConfiguration corsConfiguration = new CorsConfiguration();
corsConfiguration.addAllowedOrigin("*"); // 1允许任何域名使用
corsConfiguration.addAllowedHeader("*"); // 2允许任何头
corsConfiguration.addAllowedMethod("*");// 3 allows any method (post, get, etc.)
@Bean
return corsConfiguration;
}
public CorsFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", buildConfig()); // 4
return new CorsFilter(source);
}
}
Method Two: Use the Filter mode
import javax.servlet.*;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Component
public class CorsFilter implements Filter {
final static org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(CorsFilter.class);
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "x-requested-with");
System.out.println ( "********************************* filter is used ****** ************************************************************ ");
the chain.doFilter (REQ, RES);
}
public void the init (the FilterConfig FilterConfig) {}
public void the destroy () {}
}