当前位置:网站首页>security cross-domain configuration
security cross-domain configuration
2022-08-02 00:07:00 【Program three two lines】
一、概述
1、什么是跨域
CORS是w3cA specified method of requesting resources for cross-origin resource sharing,Manifestation is agreement+ip+The three ports are the same to be the same source,否则就是跨域,早期javaEEThe solution to the cross-domain scenario isJSONP,Jsonp(JSON with Padding) 是 json 的一种"使用模式",可以让网页从别的域名(网站)那获取资料,即跨域读取数据.但是jsonp只支持get方式,而CORS支持多种请求方式,是目前主流的跨域解决方案
2、CORSResolve cross-domain processes
cors新增了一组http请求头字段,通过这些字段,服务器告诉浏览器,Which networks have access through the browser,同时规定,对那些可能修改服务器数据的http请求方法(如get以为的http请求等),The browser must first be usedoptionsRequest to initiate a preflight request,The purpose of the preflight request is to see if the server supports the upcoming cross-origin request,If the server allows it, it will only send the actual onehttp请求,在预检请求的返回中,服务端也可以通知客户端,是否需要携带身份凭证,如cookies、http认证信息等
3、简单请求
4、复杂请求
二、跨域解决方案
1、springmvcAnnotation method in @CrossOrigin
The annotation can be added to the method as wellcontroller类上,All methods added to the class support cross-domain,@CrossOrigin支持的属性如下
- alowCredentials:Whether the browser should send credential information inCookie
- allowedHeaders:请求被允许的请求头字段 * 标识所有字段
- exposedHeaders:哪些响应头可以作为响应的一部分暴露出来
- maxAge:预检请求的有效期 有效期内不必再次发送预检请求 默认是1800秒
- methods:允许的请求方法 * Identifies all methods allowed
- origins:允许的域 可以多个,* Identifies all domains allowed
@RequestMapping("/touser")
@CrossOrigin(origins = {"localhost:8081","localhost:8082"})
public String toUser(){
return "user";
}2、springmvc中的配置方式
自定义springmvc配置WebMvcConfigurer类中的addCorsMappings方法 全局处理
@Configuration
public class ConfigMy implements WebMvcConfigurer {
/**
* 跨域
*/
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")//Which requests are made cross-origin
.allowedOrigins("http://localhost:8082","http://localhost:8081","http://localhost:8080")
.allowCredentials(false)
.allowedMethods("GET", "POST")
.allowedHeaders("*")
.maxAge(3600);
}
}3、spring web过滤器CrosFilter方式
@Configuration
public class ConfigMy {
@Bean
FilterRegistrationBean<CorsFilter> corsFilter(){
FilterRegistrationBean<CorsFilter> registrationBean = new FilterRegistrationBean<CorsFilter>();
CorsConfiguration corsConfiguration = new CorsConfiguration();
corsConfiguration.setAllowedHeaders(Arrays.asList("*"));
corsConfiguration.setAllowedMethods(Arrays.asList("*"));
corsConfiguration.setAllowedOrigins(Arrays.asList("http://localhost:8080"));
corsConfiguration.setMaxAge(3600L);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**",corsConfiguration);
registrationBean.setFilter(new CorsFilter(source));
//指定filter顺序 -1Identity is built in at allfilter之前执行
registrationBean.setOrder(-1);
return registrationBean;
}
}4、springsecurity跨域解决方案
引入security之后上面的@ CrossOriginand configuration methods will fail,crosfilterWhether or not it fails depends on the filter and securityComes with filter order
filter 、dispatchserServlet以及intercepter执行顺序
client->web filter(sercurity filter)->dispatchserServlet->intercepter->controller
A preflight request is initiated for non-simple requests,The preflight request does not carry authentication information,所以会被security拦截,因此通过@ CrossOriginAnd configuration processing cross-domain are invalid,如果crosfilter执行顺序高于security,that works,security解决跨域方式
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and().formLogin()
//Add cross-domain and related configuration
.and().cors().configurationSource(configurationSource())
.and().csrf().disable();
}
//跨域配置
CorsConfigurationSource configurationSource(){
CorsConfiguration corsConfiguration = new CorsConfiguration();
corsConfiguration.setAllowedHeaders(Arrays.asList("*"));
corsConfiguration.setAllowedMethods(Arrays.asList("*"));
corsConfiguration.setAllowedOrigins(Arrays.asList("http://localhost:8080"));
corsConfiguration.setMaxAge(3600L);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**",corsConfiguration);
return source;
}
}
边栏推荐
- security 会话并发管理
- @Resource和@Autowired的区别
- Data Organization --- Chapter 5 Trees and Binary Trees --- The Concept of Binary Trees --- Application Questions
- LeetCode_518_零钱兑换Ⅱ
- Thinkphp 5.0.24变量覆盖漏洞导致RCE分析
- Flink学习第三天——一文带你了解什么是Flink流?
- Various Joins of Sql
- Quartus uses tcl files to quickly configure pins
- numpy.around
- @Transactional 注解使用详解
猜你喜欢
随机推荐
【Leetcode】473. Matchsticks to Square
伸展树的特性及实现
ELK log collection
程序员还差对象?new一个就行了
1个月写900多条用例,二线城市年薪33W+的测试经理能有多卷?
12306抢票,极限并发带来的思考?
The Spark of Sql join on the and and where
CDH6 Hue to open a "ASCII" codec can 't encode characters
技术分享 | 接口测试中如何使用Json 来进行数据交互 ?
切面打印调取的方法
获取小猪民宿(短租)数据
FAST-LIO2 code analysis (2)
仿牛客网项目第三章:开发社区核心功能(详细步骤和思路)
easy-excel 解决百万数据导入导出,性能很强
斜堆、、、
【Leetcode】2360. Longest Cycle in a Graph
@Transactional注解在类上还是接口上使用,哪种方式更好?
LeetCode_322_零钱兑换
【Leetcode】479. Largest Palindrome Product
Architecture basic concept and nature of architecture