CORS cross-domain principle

Cross-domain resource sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to allow Web applications running on one Origin (domain) to access specified resources from different source servers. When a resource requests a resource from a different domain or port than the server on which the resource itself resides, the resource makes a cross-domain HTTP request.

The cross-domain resource sharing (CORS) mechanism allows Web application servers to control cross-domain access and secure cross-domain data transfer. Modern browsers support the use of CORS in API containers, such as XMLHttpRequest or Fetch, to reduce the risk associated with cross-domain HTTP requests.

Cross-domain configuration file CorsConfig

import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.*;

/ * * *@version 1.0
 * @classname CorsConfig
 * @descriptionTo solve cross-domain problems, override the interface provided by the parent class to handle cross-domain requests *@date 2021/2/24 00:06
 * @created by MelodyJerry
 */
@Configuration
@EnableWebMvc
//public class CorsConfig implements WebMvcConfigurer {// No mapping for GET is implemented
public class CorsConfig extends WebMvcConfigurationSupport {

    /* * Rewrite the addCorsMappings method */ in order to solve the cross-domain problem
    @Override
    Public void addCorsMappings(CorsRegistry registry) {// When the console prompts No mapping for GET, replace the connection
    protected void addCorsMappings(CorsRegistry registry) {
        // Set the path allowed across domains
        registry.addMapping("/ * *") // All current site request addresses, all support cross-domain access
                // Set the name to allow cross-domain requests. Choose allowedOrigins or allowedOrigins
                AllowedOrigins ("*") access-Control-allow-origin ("*"
                //. AllowedOrigins (" domain name ") // It is difficult to configure localhost because external domain resolution may be localhost, 127.0.0.1, or host name in a cross-domain request
                .allowedOriginPatterns("*") // All external domains are accessible across domains
                // Which primitive fields are allowed (request mode)
                .allowedMethods("GET"."HEAD"."POST"."PUT"."DELETE"."OPTIONS")
                // Set the allowed headers
                .allowedHeaders("*")
                // Which headers to expose (because cross-domain access does not get all headers by default)
                .exposedHeaders("access-control-allow-headers"."access-control-allow-methods"."access-control-allow-origin"."access-control-max-age"."X-Frame-Options")
                // Whether to allow certificates (whether to support cross-domain user credentials), no longer enabled by default
                .allowCredentials(true)
                // Allow time across domains
                .maxAge(3600);
    }

    * Cause: The built-in interface of swagger is blocked by interceptor, and Swagger needs to be added to the exclusion list of interceptors. * @param registry */
    @Override
    public void addResourceHandlers(ResourceHandlerRegistry registry) {
        registry.addResourceHandler("swagger-ui.html")
                .addResourceLocations("classpath:/META-INF/resources/");
        registry.addResourceHandler("doc.html")
                .addResourceLocations("classpath:/META-INF/resources/");
        registry.addResourceHandler("/webjars/**")
                .addResourceLocations("classpath:/META-INF/resources/webjars/"); }}Copy the code

You may encounter

(1). AllowedMethods (” * “)

AllowedMethods (“*”) and access-Control-allow-Origin are configured at the same time.

AllowedOrigins cannot contain the special value “*” when allowCredentials are true, because this value cannot be set on the “Access Control Allow Origin” response header. To allow credentials to point to a set of sources, list them explicitly, or consider using “allowedOriginPatterns” instead.

In this case, there are two solutions, and the second one is recommended:

  1. . AllowedOrigins (" domain name ")
  2. advice.allowedOriginPatterns("*")

(2) an error O.S.W eb. Servlet. PageNotFound: No mapping for the GET

Console the above message is O.S.W eb. Servlet. PageNotFound: No mapping for the GET, the solution is simple: Will extends WebMvcConfigurationSupport instead implements WebMvcConfigurer (corresponding protected void addCorsMappings to change public void AddCorsMappings)