Spring Global CORS 配置不起作用,但控制器级别配置起作用
我正在尝试通过如下所示的 WebMvcConfigurerAdapter
全局配置 CORS.为了测试,我通过我创建的用于模拟外部服务的小型节点应用程序访问我的 API 端点.当我尝试这种方法时,响应不包含正确的标头并且失败并显示
I am trying to configure CORS globally via WebMvcConfigurerAdapter
shown below. To test I am hitting my API endpoint via a small node app I created to emulate an external service. When I try this approach the response does not contain the correct headers and fails with
XMLHttpRequest cannot load http://localhost:8080/api/query/1121. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:333' is therefore not allowed access.
全局配置
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
@EnableWebMvc
@Configuration
public class WebConfig extends WebMvcConfigurerAdapter {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/api/query/**")
.allowedOrigins("*")
.allowedHeaders("*")
.allowCredentials(true);
}
}
但是,当我像这样使用 @CrossOrigin
注释时,它可以很好地响应正确的标头.
However when I utilize the @CrossOrigin
annotation like so it works just fine responding with the proper headers.
@CrossOrigin(origins = "*", allowCredentials = "true", allowedHeaders = "*")
@RestController
@RequestMapping(value = "/api/query", produces = MediaType.APPLICATION_JSON_VALUE)
public class QueryController {
......
}
生产
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://localhost:333
使全局配置工作我缺少什么(按照此处的说明进行操作 https://spring.io/blog/2015/06/08/cors-support-in-spring-framework).我觉得我错过了一些简单的东西,因为注释控制器工作得很好.
What am I missing to make the global config work (followed instructions here https://spring.io/blog/2015/06/08/cors-support-in-spring-framework). I feel like I'm missing something simple since annotating the controller works just fine.
推荐答案
为了使全局 CORS 配置工作,客户端必须在 OPTIONS 请求中添加这两个标头.
In order for the global CORS config to work, the client must add these two headers in the OPTIONS request.
Origin: http://host.com
Access-Control-Request-Method: POST
不过,@CrossOrigin 注释只需要Origin"标头.
您的客户端可能添加了Origin"标头,但缺少Access-Control-Request-Method"......这就是为什么它适用于@CrossOrigin,但不适用于全局配置.
However the @CrossOrigin annotation requires just the "Origin" header.
Your client probably adds the "Origin" header but is missing the "Access-Control-Request-Method".....thats why it works for you with the @CrossOrigin, but doesn't with the global config.
相关文章