当前位置:网站首页>security cross-domain configuration
security cross-domain configuration
2022-08-02 00:07:00 【Program three two lines】
一、概述
1、什么是跨域
CORS是w3cA specified method of requesting resources for cross-origin resource sharing,Manifestation is agreement+ip+The three ports are the same to be the same source,否则就是跨域,早期javaEEThe solution to the cross-domain scenario isJSONP,Jsonp(JSON with Padding) 是 json 的一种"使用模式",可以让网页从别的域名(网站)那获取资料,即跨域读取数据.但是jsonp只支持get方式,而CORS支持多种请求方式,是目前主流的跨域解决方案
2、CORSResolve cross-domain processes
cors新增了一组http请求头字段,通过这些字段,服务器告诉浏览器,Which networks have access through the browser,同时规定,对那些可能修改服务器数据的http请求方法(如get以为的http请求等),The browser must first be usedoptionsRequest to initiate a preflight request,The purpose of the preflight request is to see if the server supports the upcoming cross-origin request,If the server allows it, it will only send the actual onehttp请求,在预检请求的返回中,服务端也可以通知客户端,是否需要携带身份凭证,如cookies、http认证信息等
3、简单请求
4、复杂请求
二、跨域解决方案
1、springmvcAnnotation method in @CrossOrigin
The annotation can be added to the method as wellcontroller类上,All methods added to the class support cross-domain,@CrossOrigin支持的属性如下
- alowCredentials:Whether the browser should send credential information inCookie
- allowedHeaders:请求被允许的请求头字段 * 标识所有字段
- exposedHeaders:哪些响应头可以作为响应的一部分暴露出来
- maxAge:预检请求的有效期 有效期内不必再次发送预检请求 默认是1800秒
- methods:允许的请求方法 * Identifies all methods allowed
- origins:允许的域 可以多个,* Identifies all domains allowed
@RequestMapping("/touser")
@CrossOrigin(origins = {"localhost:8081","localhost:8082"})
public String toUser(){
return "user";
}2、springmvc中的配置方式
自定义springmvc配置WebMvcConfigurer类中的addCorsMappings方法 全局处理
@Configuration
public class ConfigMy implements WebMvcConfigurer {
/**
* 跨域
*/
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")//Which requests are made cross-origin
.allowedOrigins("http://localhost:8082","http://localhost:8081","http://localhost:8080")
.allowCredentials(false)
.allowedMethods("GET", "POST")
.allowedHeaders("*")
.maxAge(3600);
}
}3、spring web过滤器CrosFilter方式
@Configuration
public class ConfigMy {
@Bean
FilterRegistrationBean<CorsFilter> corsFilter(){
FilterRegistrationBean<CorsFilter> registrationBean = new FilterRegistrationBean<CorsFilter>();
CorsConfiguration corsConfiguration = new CorsConfiguration();
corsConfiguration.setAllowedHeaders(Arrays.asList("*"));
corsConfiguration.setAllowedMethods(Arrays.asList("*"));
corsConfiguration.setAllowedOrigins(Arrays.asList("http://localhost:8080"));
corsConfiguration.setMaxAge(3600L);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**",corsConfiguration);
registrationBean.setFilter(new CorsFilter(source));
//指定filter顺序 -1Identity is built in at allfilter之前执行
registrationBean.setOrder(-1);
return registrationBean;
}
}4、springsecurity跨域解决方案
引入security之后上面的@ CrossOriginand configuration methods will fail,crosfilterWhether or not it fails depends on the filter and securityComes with filter order
filter 、dispatchserServlet以及intercepter执行顺序
client->web filter(sercurity filter)->dispatchserServlet->intercepter->controller
A preflight request is initiated for non-simple requests,The preflight request does not carry authentication information,所以会被security拦截,因此通过@ CrossOriginAnd configuration processing cross-domain are invalid,如果crosfilter执行顺序高于security,that works,security解决跨域方式
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and().formLogin()
//Add cross-domain and related configuration
.and().cors().configurationSource(configurationSource())
.and().csrf().disable();
}
//跨域配置
CorsConfigurationSource configurationSource(){
CorsConfiguration corsConfiguration = new CorsConfiguration();
corsConfiguration.setAllowedHeaders(Arrays.asList("*"));
corsConfiguration.setAllowedMethods(Arrays.asList("*"));
corsConfiguration.setAllowedOrigins(Arrays.asList("http://localhost:8080"));
corsConfiguration.setMaxAge(3600L);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**",corsConfiguration);
return source;
}
}
边栏推荐
- 【Leetcode】473. Matchsticks to Square
- 尚硅谷MySQL学习笔记
- 路径压缩、、
- 一款简洁的文件传输工具
- 【Leetcode】470. Implement Rand10() Using Rand7()
- Quartus uses tcl files to quickly configure pins
- 【MySQL系列】MySQL索引事务
- 1个月写900多条用例,二线城市年薪33W+的测试经理能有多卷?
- 如何进行数据库备份
- A brief analysis of mobile APP security testing in software testing, shared by a third-party software testing agency in Beijing
猜你喜欢
邻接表与邻接矩阵
cdh的hue上oozie启动报错,Cannot allocate containers as requested resource is greater than maximum allowed
2022第六届强网杯部分wp
solidity
DVWA靶场环境搭建
2022还想上岸学习软件测试必看,测试老鸟的肺腑之言...
20220725 Information update
How to get the best power efficiency in Windows 11?
The third chapter of the imitation cattle network project: develop the core functions of the community (detailed steps and ideas)
Excel导入和导出
随机推荐
C语言七夕来袭!是时候展现专属于程序员的浪漫了!
@Resource和@Autowired的区别
多御安全浏览器android版更新至1.7,改进加密协议
Flink Yarn Per Job - 提交流程一
TexturePacker使用文档
一款简洁的文件传输工具
根本上解决mysql启动失败问题Job for mysqld.service failed because the control process exited with error code
SphereEx苗立尧:云原生架构下的Database Mesh研发实践
Programmer is still short of objects? A new one is enough
ansible模块--copy模块
架构基本概念和架构本质
很多人喜欢用多御安全浏览器,竟是因为这些原因
邻接表与邻接矩阵
contentEditable属性
windows sql server 如何卸载干净?
【图像融合】基于加权和金字塔实现图像融合附matlab代码
numpy.around
12306抢票,极限并发带来的思考?
@Transactional注解在类上还是接口上使用,哪种方式更好?
斜堆、、、