Spring Framework 4.2 GA為開箱即用的CORS提供了一流的支持,為您提供了比典型的基于過濾器的解決方案更簡單,更強大的配置方式。
Controller方法上增加CORS配置
@RestController
@RequestMapping("/account")
public class AccountController {
+ @CrossOrigin
@RequestMapping("/{id}")
public Account retrieve(@PathVariable Long id) {
// ...
}
@RequestMapping(method = RequestMethod.DELETE, value = "/{id}")
public void remove(@PathVariable Long id) {
// ...
}
}
在controller上配置
+ @CrossOrigin(origins = "http://domain2.com", maxAge = 3600)
@RestController
@RequestMapping("/account")
public class AccountController {
@RequestMapping("/{id}")
public Account retrieve(@PathVariable Long id) {
// ...
}
@RequestMapping(method = RequestMethod.DELETE, value = "/{id}")
public void remove(@PathVariable Long id) {
// ...
}
}
或者混合配置
+ @CrossOrigin(maxAge = 3600)
@RestController
@RequestMapping("/account")
public class AccountController {
+ @CrossOrigin(origins = "http://domain2.com")
@RequestMapping("/{id}")
public Account retrieve(@PathVariable Long id) {
// ...
}
@RequestMapping(method = RequestMethod.DELETE, value = "/{id}")
public void remove(@PathVariable Long id) {
// ...
}
}
全局配置
使用Java配置
整個應用都支持CORS
@Configuration
@EnableWebMvc
public class WebConfig extends WebMvcConfigurerAdapter {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**");
}
}
更詳細的配置,具體到某個API路徑
@Configuration
@EnableWebMvc
public class WebConfig extends WebMvcConfigurerAdapter {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/api/**")
.allowedOrigins("http://domain2.com")
.allowedMethods("PUT", "DELETE")
.allowedHeaders("header1", "header2", "header3")
.exposedHeaders("header1", "header2")
.allowCredentials(false).maxAge(3600);
}
}
使用XML配置
整個應用都支持CORS
<mvc:cors>
<mvc:mapping path="/**" />
</mvc:cors>
更詳細的配置,具體到某個API路徑
<mvc:cors>
<mvc:mapping path="/api/**"
allowed-origins="http://domain1.com, http://domain2.com"
allowed-methods="GET, PUT"
allowed-headers="header1, header2, header3"
exposed-headers="header1, header2" allow-credentials="false"
max-age="123" />
<mvc:mapping path="/resources/**"
allowed-origins="http://domain1.com" />
</mvc:cors>
Spring Boot的配置方式
Spring Boot 1.3 版本支持CORS
在SpringBoot應用程序中使用帶有@CrossOrigin注解的 controller方法,不需要任何特定的配置。
全局配置的方式:
@Configuration
public class MyConfiguration {
@Bean
public WebMvcConfigurer corsConfigurer() {
return new WebMvcConfigurerAdapter() {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/api/**");
}
};
}
}
Filter based CORS support
為了支持具有基于過濾器的安全框架(如Spring Security)的CORS,或者與其他不支持本機CORS的項目(如Spring Data REST)一起,我們還提供了一個CorsFilter。在這種情況下,不用使用@CrossOrigin或WebMvcConfigurer#addCorsMappings(CorsRegistry),您可以在Spring Boot應用程序中聲明如下所示的過濾器:
@Configuration
public class MyConfiguration {
@Bean
public FilterRegistrationBean corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("http://domain1.com");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
source.registerCorsConfiguration("/**", config);
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
bean.setOrder(0);
return bean;
}
}