A

cross domain

resource will initiate a cross domain HTTP request (Cross-site HTTP request) when one of the resources it requests is from a domain name that is different from the first resource provided with its own.

, for example, introduces a picture resource (http://domainb.foo/image.jpg) from the domain name B (http://domainb.foo) site through a label in a Web application of the domain name A (http://domaina.example), and the Web application of the domain A will cause a browser to initiate a cross station HTTP request. In today's Web development, using a cross station HTTP request to load a variety of resources (including CSS, pictures, JavaScript scripts, and other class resources) has become a popular and popular way.

, as you know, for security reasons, browsers restrict the cross site requests initiated in scripts. For example, using XMLHttpRequest objects to initiate HTTP requests must comply with the homologous strategy. In particular, the Web application can and can only use XMLHttpRequest objects to initiate HTTP requests to the source domain names it loads, instead of initiating requests to any other domain name. In order to develop a more powerful, richer and more secure Web application, the developers are eager to be more and more powerful and richer in the Web application technology without the loss of security. For example, you can use XMLHttpRequest to initiate cross site HTTP requests. (this section describes the cross domain inaccuracy, the cross domain is not a browser limiting the launch of the cross - station request, but the cross - station request can be normally initiated, but the return result is intercepted by the browser. The best example is the CSRF cross site attack principle. The request is sent to the back-end server, no matter whether it is across the domain. Note: some browsers do not allow access to HTTP from the domain cross domain of the HTTPS, such as Chrome and Firefox, which intercepts requests when the request is not issued. This is a special case.) The

more:https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Access_control_CORS

CROS

CORS is all called Cross Origin (cross domain resource sharing), and the server only needs to add the relevant response header information to realize the guest. The household sends a AJAX cross domain request.

@CrossOrigin

1. can cross domain on all requests directly using Controller on Controller. Origins = "*" represents all of the

 @CrossOrigin (origins = "http://domain2.com"), maxAge = 3600) @ S AccountController {@RequestMapping ("/{id}") public Account retrieve (@PathVariable Long ID) {/ /...} @RequestMapping (method = {/ /...}}) RossOrigin (maxAge = 3600) @RestController @RequestMapping ("/account") public class AccountController {@CrossOrigin ("http://domain2.com") @RequestMapping ("/{id}") Public void remove (@PathVariable Long ID) {/ /...}} 

another method: the main purpose of

CorsFilter is to add related information headers, and Filter can be implemented.

 @Configuration public class BeanConfiguration {@Bean public CorsFilter corsFilter () {final UrlBasedCorsConfigurationSource); CorsConfiguration.setAllowCredentials (true); corsConfiguration.addAllowedOrigin ("*"); corsConfiguration.addAllowedHeader (*); corsConfiguration.addAllowedMethod (*); urlBasedCorsConfigurationSource.registerCorsConfiguration ("/ * *", corsConfiguration); return new CorsFilter (UR) LBasedCorsConfigurationSource);}} 

Access-Control-Allow-Origin: a client domain name that allows access, such as: http://web.xxx.com, if it is *, can be accessed from any domain, that is, no restriction is done.

  1. Access-Control-Allow-Methods: allows the method name to be accessed. Multiple method names are separated by commas, for example: GET, POST, PUT, DELETE, OPTIONS.
  2. Access-Control-Allow-Credentials: whether the request is allowed to have authentication information, and if you want to get the cookie under the client domain, it needs to be set to true.
  3. Access-Control-Allow-Headers: client request head that allows server access, and multiple request heads are separated by commas, for example: Content-Type.
  4. Access-Control-Expose-Headers: a service response header that allows client access. Multiple response heads are separated by commas.

is the whole content of this article. I hope it will be helpful to everyone's learning, and I hope you will support the script home.

you may be interested in:


This concludes the body part

This paper fixed link:http://www.script-home.com/solving-the-problem-of-java-spring-boot-2-cross-domain.html | Script Home | +Copy Link

Article reprint please specify:Solving the problem of Java Spring boot 2 cross domain | Script Home

You may also be interested in these articles!