摘自:https://mp.weixin.qq.com/s/jlX_sbwhN3ASply6MLw1Vw
1 詳解響應(yīng)頭
- Access-Control-Allow-Origin 該字段必填辙芍。它的值要么是請求時(shí)Origin字段的具體值刹枉,要么是一個(gè)*微谓,表示接受任意域名的請求窖剑。
- Access-Control-Allow-Methods 該字段必填零蓉。它的值是逗號(hào)分隔的一個(gè)具體的字符串或者*糜工,表明服務(wù)器支持的所有跨域請求的方法捕传。注意筐骇,返回的是所有支持的方法斤寇,而不單是瀏覽器請求的那個(gè)方法。這是為了避免多次"預(yù)檢"請求拥褂。
- Access-Control-Expose-Headers 該字段可選娘锁。CORS請求時(shí),XMLHttpRequest對象的getResponseHeader()方法只能拿到6個(gè)基本字段:Cache-Control饺鹃、Content-Language莫秆、Content-Type、Expires悔详、Last-Modified镊屎、Pragma。如果想拿到其他字段茄螃,就必須在Access-Control-Expose-Headers里面指定缝驳。
- Access-Control-Allow-Credentials 該字段可選。它的值是一個(gè)布爾值归苍,表示是否允許發(fā)送Cookie.默認(rèn)情況下用狱,不發(fā)生Cookie,即:false拼弃。對服務(wù)器有特殊要求的請求夏伊,比如請求方法是PUT或DELETE,或者Content-Type字段的類型是application/json吻氧,這個(gè)值只能設(shè)為true溺忧。如果服務(wù)器不要瀏覽器發(fā)送Cookie,刪除該字段即可盯孙。
- Access-Control-Max-Age 該字段可選鲁森,用來指定本次預(yù)檢請求的有效期,單位為秒振惰。在有效期間歌溉,不用發(fā)出另一條預(yù)檢請求。
2 解決方法
2.1 實(shí)現(xiàn)WebMvcConfigurer
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@Configuration
public class CorsConfig implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOriginPatterns("*")
.allowedMethods("GET", "HEAD", "POST", "PUT", "DELETE", "OPTIONS")
.allowCredentials(true)
.maxAge(3600)
.allowedHeaders("*");
}
}
2.2 過濾器實(shí)現(xiàn)
import org.springframework.context.annotation.Configuration;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@WebFilter(filterName = "CorsFilter ")
@Configuration
public class CorsFilter implements Filter {
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Origin","*");
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, PATCH, DELETE, PUT");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
chain.doFilter(req, res);
}
}
2.3 @CrossOrigin注解(推薦)
最小粒度的cors控制辦法了报账,精確到單個(gè)請求級(jí)別研底。
public class GoodsController {
@CrossOrigin(origins = "http://localhost:4000")
@GetMapping("goods-url")
public Response queryGoodsWithGoodsUrl(@RequestParam String goodsUrl) throws Exception {}
}
