问题
I tried to implement Access-Control- Allow-Origin in spring boot using few tutorials and this link but not able to implement this.
To implement this, in application.properties file, I added below line
endpoints.cors.allowed-origins=https://example.com
Which probably means that except the URL https://example.com, no other endpoint can call any APIs. But it's not working I still can see * in response , in below image. Which menas from other domains, my APIs are accessible. So how to prevent this?
回答1:
endpoints.cors.allowed-origins for Spring boot 1 or management.endpoints.web.cors.allowed-origins for Spring boot 2 are used to apply CORS to the Actuator endpoints, it does not apply to controller endpoints you defined.
Actually, by default Spring boot doesn't set any CORS headers. If you're seeing Access-Control-Allow-Origin with a value (eg. a wildcard), it means that you're configuring that somewhere within your own code. Verify if you're using @CrossOrigin on your controllers, or that you're having some sort of Filter (eg. CorsFilter).
One way to configure CORS globally within Spring boot is by defining a CorsFilter bean, for example:
@Bean
public CorsFilter corsFilter() {
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
final CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.setAllowedOrigins(List.of("https://example.com"));
config.setAllowedHeaders(List.of("Origin", "Content-Type", "Accept"));
config.setAllowedMethods(List.of("GET", "POST", "PUT", "OPTIONS", "DELETE", "PATCH"));
source.registerCorsConfiguration("/**", config);
return new CorsFilter(source);
}
For other possibilities, you can check this question. Be aware, this will only work properly if you find out what is causing the Access-Control-Allow-Origin to be set.
回答2:
try this annotation @Crossorigin("*") in your controller.You can change the param in annotation according to your need
回答3:
You can define a custom cors filter for your project like this
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;
@Component
public class CustomeCORSFilter implements Filter {
private final Logger log = LoggerFactory.getLogger(CustomeCORSFilter.class);
public CustomeCORSFilter() {
log.info("CustomeCORSFilter init");
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS,PUT, DELETE");
response.setHeader("Access-Control-Allow-Origin", request.getHeader("Origin"));
response.setHeader("Access-Control-Max-Age", "");
response.setHeader("Access-Control-Allow-Headers", "Content-Type, Accept, X-Requested-With,");
chain.doFilter(request, response);
}
@Override
public void init(FilterConfig filterConfig) {
}
@Override
public void destroy() {
}
}
来源:https://stackoverflow.com/questions/59300723/java-spring-boot-access-control-allow-origin-not-working