当前位置:网站首页>security cross-domain configuration
security cross-domain configuration
2022-08-02 00:07:00 【Program three two lines】
一、概述
1、什么是跨域
CORS是w3cA specified method of requesting resources for cross-origin resource sharing,Manifestation is agreement+ip+The three ports are the same to be the same source,否则就是跨域,早期javaEEThe solution to the cross-domain scenario isJSONP,Jsonp(JSON with Padding) 是 json 的一种"使用模式",可以让网页从别的域名(网站)那获取资料,即跨域读取数据.但是jsonp只支持get方式,而CORS支持多种请求方式,是目前主流的跨域解决方案
2、CORSResolve cross-domain processes
cors新增了一组http请求头字段,通过这些字段,服务器告诉浏览器,Which networks have access through the browser,同时规定,对那些可能修改服务器数据的http请求方法(如get以为的http请求等),The browser must first be usedoptionsRequest to initiate a preflight request,The purpose of the preflight request is to see if the server supports the upcoming cross-origin request,If the server allows it, it will only send the actual onehttp请求,在预检请求的返回中,服务端也可以通知客户端,是否需要携带身份凭证,如cookies、http认证信息等
3、简单请求
4、复杂请求
二、跨域解决方案
1、springmvcAnnotation method in @CrossOrigin
The annotation can be added to the method as wellcontroller类上,All methods added to the class support cross-domain,@CrossOrigin支持的属性如下
- alowCredentials:Whether the browser should send credential information inCookie
- allowedHeaders:请求被允许的请求头字段 * 标识所有字段
- exposedHeaders:哪些响应头可以作为响应的一部分暴露出来
- maxAge:预检请求的有效期 有效期内不必再次发送预检请求 默认是1800秒
- methods:允许的请求方法 * Identifies all methods allowed
- origins:允许的域 可以多个,* Identifies all domains allowed
@RequestMapping("/touser")
@CrossOrigin(origins = {"localhost:8081","localhost:8082"})
public String toUser(){
return "user";
}2、springmvc中的配置方式
自定义springmvc配置WebMvcConfigurer类中的addCorsMappings方法 全局处理
@Configuration
public class ConfigMy implements WebMvcConfigurer {
/**
* 跨域
*/
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")//Which requests are made cross-origin
.allowedOrigins("http://localhost:8082","http://localhost:8081","http://localhost:8080")
.allowCredentials(false)
.allowedMethods("GET", "POST")
.allowedHeaders("*")
.maxAge(3600);
}
}3、spring web过滤器CrosFilter方式
@Configuration
public class ConfigMy {
@Bean
FilterRegistrationBean<CorsFilter> corsFilter(){
FilterRegistrationBean<CorsFilter> registrationBean = new FilterRegistrationBean<CorsFilter>();
CorsConfiguration corsConfiguration = new CorsConfiguration();
corsConfiguration.setAllowedHeaders(Arrays.asList("*"));
corsConfiguration.setAllowedMethods(Arrays.asList("*"));
corsConfiguration.setAllowedOrigins(Arrays.asList("http://localhost:8080"));
corsConfiguration.setMaxAge(3600L);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**",corsConfiguration);
registrationBean.setFilter(new CorsFilter(source));
//指定filter顺序 -1Identity is built in at allfilter之前执行
registrationBean.setOrder(-1);
return registrationBean;
}
}4、springsecurity跨域解决方案
引入security之后上面的@ CrossOriginand configuration methods will fail,crosfilterWhether or not it fails depends on the filter and securityComes with filter order
filter 、dispatchserServlet以及intercepter执行顺序
client->web filter(sercurity filter)->dispatchserServlet->intercepter->controller
A preflight request is initiated for non-simple requests,The preflight request does not carry authentication information,所以会被security拦截,因此通过@ CrossOriginAnd configuration processing cross-domain are invalid,如果crosfilter执行顺序高于security,that works,security解决跨域方式
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and().formLogin()
//Add cross-domain and related configuration
.and().cors().configurationSource(configurationSource())
.and().csrf().disable();
}
//跨域配置
CorsConfigurationSource configurationSource(){
CorsConfiguration corsConfiguration = new CorsConfiguration();
corsConfiguration.setAllowedHeaders(Arrays.asList("*"));
corsConfiguration.setAllowedMethods(Arrays.asList("*"));
corsConfiguration.setAllowedOrigins(Arrays.asList("http://localhost:8080"));
corsConfiguration.setMaxAge(3600L);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**",corsConfiguration);
return source;
}
}
边栏推荐
- @Resource和@Autowired的区别
- 2022第六届强网杯部分wp
- The third chapter of the imitation cattle network project: develop the core functions of the community (detailed steps and ideas)
- 很多人喜欢用多御安全浏览器,竟是因为这些原因
- ICLR 2022 Best Paper: Partial Label Learning Based on Contrastive Disambiguation
- 架构基本概念和架构本质
- ansible模块--copy模块
- With a monthly salary of 12K, the butterfly changed to a new one and moved forward bravely - she doubled her monthly salary through the career change test~
- Bean的生命周期
- UI自动化测试框架搭建-标记性能较差用例
猜你喜欢
随机推荐
Loading configuration of Nacos configuration center
LeetCode_322_零钱兑换
分享一份接口测试项目(非常值得练手)
【Leetcode】1206. Design Skiplist
机器学习文本分类
windows sql server 如何卸载干净?
Enterprise firewall management, what firewall management tools are there?
如何重装Win11?一键重装Win11方法
带你搞懂MySQL隔离级别,两个事务同时操作同一行数据会怎样?
Thymeleaf简介
async和await用法介绍
YOLO等目标检测模型的非极大值抑制NMS和评价指标(Acc, Precision, Recall, AP, mAP, RoI)、YOLOv5中[email protected]与
几道关于golang并发的面试题
QML包管理
在MySQL登录时出现Access denied for user ‘root‘@‘localhost‘ (using password YES) 拒绝访问问题解决
An interview question about iota in golang
Deep Learning Fundamentals - Numpy-based Recurrent Neural Network (RNN) implementation and backpropagation training
cdh6打开oozieWeb页面,Oozie web console is disabled.
伸展树的特性及实现
solidity