当一台服务器资源从另一台服务器(不同的域名或者端口)请求一个资源或者接口,就会发起一个跨域HTTP请求。
同源:协议、域名、端口都相同
只要一个不同,就是跨域。
请求方 | 响应方 | 是否跨域 | 原因 |
---|---|---|---|
http://www.baidu.com | http://www.baidu.com/test.html | 否 | 协议/域名/端口相同 |
http://www.baidu.com | https://www.baidu.com/test.html | 是 | 协议不同 |
http://www.baidu.com | http://www.hhhh.com/test.html | 是 | 主域名不同 |
http://www.baidu.com | http://haha.baidu.com/test.html | 是 | 主域名相同、子域名不同 |
http://www.baidu.com:8080 | http://www.baidu.com/8090/test.html | 是 | 端口不同 |
任意一种方式都可。
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
@Configuration
public class GlobalCorsConfig {
@Bean
public CorsFilter corsFilter(){
// 1.添加cors配置信息
CorsConfiguration config = new CorsConfiguration();
// 放行哪些原始域名
config.addAllowedOriginPattern("*");//2.4.0后的写法
// config.addAllowedOrigin("*");
// 是否发送Cookie
config.setAllowCredentials(true);
// 放行哪些请求方式
config.addAllowedMethod("*");
// 放行哪些原始请求头部信息
config.addAllowedHeader("*");
// 暴露哪些头部信息
config.addExposedHeader("*");
// 2.添加映射路径
UrlBasedCorsConfigurationSource corsConfigurationSource = new UrlBasedCorsConfigurationSource();
corsConfigurationSource.registerCorsConfiguration("/**", config);
// 3.返回新的CorsFilter
return new CorsFilter(corsConfigurationSource);
}
}
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@Configuration
public class CorsConfig implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
// 是否发送Cookie
.allowCredentials(true)
// 放行哪些原始域
//.allowedOrigins("*")
.allowedOriginPatterns("*") // 2.4.0后的写法
.allowedMethods(new String[] {"GET", "POST", "PUT", "DELETE"})
.allowedHeaders("*")
.exposedHeaders("*");
}
}
类上注解
@RestController
@CrossOrigin("*")
public class CorsController {
@GetMapping("/cors")
public String hello(){
return "hello cors";
}
}
方法上注解
方法可以单独跨域,没有@CrossOrigin(“*”)注解的方法则不行
@RestController
public class CorsController {
@GetMapping("/cors")
@CrossOrigin("*")
public String hello(){
return "hello cors";
}
@GetMapping("/cors2")
public String hello2(){
return "hello cors2";
}
}
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Component
public class MyCorsFilter implements Filter {
@Override
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
HttpServletRequest httpServletRequest = (HttpServletRequest) req;
response.setHeader("Access-Control-Allow-Origin", httpServletRequest.getHeader("origin"));
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE, HEAD");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "access-control-allow-origin, authority, content-type, version-info, X-Requested-With");
response.setHeader("Access-Control-Allow-Credentials", "true");
chain.doFilter(req, res);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void destroy() {
}
}