Spring Boot CORS头文件

时间:2017-12-20 18:39:41

标签: spring-boot cors

我是CORS标题的新手,并使用Spring启动实现。我在POST服务上启用CORS头,接受请求体。

第一次进行预检请求,运行正常并返回200,但是当调用实际的post请求时,它总是返回403 forbidden with response body"无效的CORS请求"。

我已经阅读了几乎所有的春季文档和所有谷歌/ stackoverflow讨论,但无法找出我错过了什么......嗯..

在下面的片段中,我通过在课程顶部和方法顶部添加crossOrigin进行测试,但没有运气。

@CrossOrigin(origins = "https://domain/", allowCredentials = "false")
@RequestMapping(value = ApplicationConstants.URI_PATH)
class MainController {
       @RequestMapping(value = '/postMethod', method = RequestMethod.POST)
       Map<String, Object> postMethod(HttpServletResponse servletResponse, 
       @RequestBody(required = false) AccessToken requestedConsumerInfo) {...}

对于POST方法 - 调用预检请求,结果为200,但主POST调用返回403。

使用OPTIONS调用:状态代码200 

Response headers (616 B)
Access-Control-Allow-Credentials true
Access-Control-Allow-Headers content-type
Access-Control-Allow-Methods POST
Access-Control-Allow-Origin https://domain
Allow GET, HEAD, POST, PUT, DELETE, OPTIONS, PATCH
Cache-Control max-age=0, private, no-cache, …roxy-revalidate, no-transform
Connection close
Content-Length 0
Date Wed, 20 Dec 2017 17:57:14 GMT
Pragma no-cache
Server nginx/1.9.1
Strict-Transport-Security max-age=63072000; includeSubdomains;
Vary Origin,User-Agent
X-Frame-Options SAMEORIGIN
X-XSS-Protection 1; mode=block

Request headers (512 B)
Accept  text/html,application/xhtml+xm…plication/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate, br
Accept-Language en-US,en;q=0.5
Access-Control-Request-Headers  content-type
Access-Control-Request-Method   POST
Connection  keep-alive
Host    domain
Origin  https://domain
User-Agent  Mozilla/5.0 (Windows NT 6.1; W…) Gecko/20100101 Firefox/57.0

使用POST呼叫:状态码403 

Response headers (364 B)
Cache-Control   max-age=0, private, no-cache, …roxy-revalidate, no-transform
Connection  close
Content-Length  20
Date    Wed, 20 Dec 2017 17:57:14 GMT
Pragma  no-cache
Server  nginx/1.9.1
Strict-Transport-Security max-age=63072000; includeSubdomains;
Vary    User-Agent
X-Frame-Options SAMEORIGIN
X-XSS-Protection    1; mode=block

Request headers (2.507 KB)  
Accept  application/json, text/plain, */*
Accept-Encoding gzip, deflate, br
Accept-Language en-US,en;q=0.5
Connection  keep-alive
Content-Length  102
Content-Type    application/json
Cookie  rxVisitor=1513720811976ARCUHEC…B4SL3K63V8|6952d9a33183e7bc|1
Host    domain
Origin  https://domain
Referer https://domain/home/account/register
User-Agent  Mozilla/5.0 (Windows NT 6.1; W…) Gecko/20100101 Firefox/57.0

由于这不起作用,我还测试了单独添加全局配置以及上面的代码段,但没有运气。

@Bean
    public WebMvcConfigurer corsConfigurer() {
        return new WebMvcConfigurerAdapter() {
            @Override
            void addCorsMappings(CorsRegistry registry) {
                super.addCorsMappings(registry);
                registry.addMapping(ApplicationConstants.MEMBER_URL_PATH)
                        .allowedOrigins("https://domain/")
                        .allowedMethods(HttpMethod.GET.toString(), 
                                   HttpMethod.POST.toString(), HttpMethod.PUT.toString());
            }
        }
    }

2 个答案:

答案 0 :(得分:2)

在预检OPTIONS请求中,服务器应该回复以下所有内容(看起来你已经这样做了):

Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers, Access-Control-Allow-Credentials (if cookies are passed)

在实际的POST请求中,您至少需要返回Access-Control-Allow-OriginAccess-Control-Allow-Credentials。您目前尚未将其返回给POST回复。

答案 1 :(得分:0)

我遇到了同样的问题,然后使用了@CrossOrigin注释,它可以正常工作,但是仅对于GET,当我尝试进行POST时,我仍然遇到Cross Origin错误,然后为我解决了这个问题:

创建一个拦截器,并将Access Controll标头添加到响应中。 (您可能不需要全部)

public class AuthInterceptor extends HandlerInterceptorAdapter {

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { 
        return true;
    }

    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse httpResponse, Object handler, ModelAndView modelAndView)
            throws Exception { 
        httpResponse.setHeader("Access-Control-Allow-Methods", "POST, GET, PUT, OPTIONS, DELETE");
        httpResponse.setHeader("Access-Control-Allow-Headers", "*");
        httpResponse.setHeader("Access-Control-Allow-Credentials", "true");
        httpResponse.setHeader("Access-Control-Max-Age", "4800");
    } 
}

然后添加拦截器:

@Configuration
@EnableWebMvc 
public class WebConfig extends WebMvcConfigurerAdapter {

  @Override
    public void addInterceptors(InterceptorRegistry registry) {
        System.out.println("++++++ WebConfig addInterceptors() ");
        registry.addInterceptor(new AuthInterceptor()).addPathPatterns("/**");
    }

}

我希望这可以节省您一些时间,我花了一些时间才能使它工作。

相关问题
最新问题