Cross-domain
A resource initiates a Cross-site HTTP request when a resource it requests is a different domain name than the first resource it provides.
For example, a web application with domain name A (http://domainb.foo) introduces a certain image resource (http://domainb.foo/image.jpg) of the site of domain name B (http://domainb.foo/image.jpg) through a tag. The web application with domain name A will cause the browser to initiate a cross-site HTTP request. In today's web development, using cross-site HTTP requests to load various resources (including CSS, images, JavaScript scripts, and other resources) has become a common and popular way.
As you know, for security reasons, browsers restrict cross-site requests initiated in scripts. For example, to initiate HTTP requests using XMLHttpRequest object, you must comply with the same-origin policy. Specifically, a web application can and can only use the XMLHttpRequest object to initiate HTTP requests to the source domain name it loads, and cannot initiate requests to any other domain name. In order to develop more powerful, richer and more secure web applications, developers are eager to become more powerful and richer without losing security. For example, you can use XMLHttpRequest to initiate a cross-site HTTP request. (This description of cross-domain is inaccurate. Cross-domain is not that the browser restricts cross-domain requests, but cross-domain requests can be initiated normally, but the result is intercepted by the browser. The best example is the principle of CSRF cross-domain attack. The request is sent to the back-end server regardless of whether it is cross-domain or not! Note: Some browsers do not allow cross-domain access to HTTPS domains, such as Chrome and Firefox. These browsers intercept requests before the request is issued. This is a special case.)
more: https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Access_control_CORS
CROS
CORS is full name Cross Origin Resource Sharing. The server only needs to add relevant response header information to enable the client to issue AJAX cross-domain requests.
@CrossOrigin
1. Directly use all requests on the Controller can be cross-domain, origins = "*" means that all requests can be requested.
@CrossOrigin(origins = "http://domain2.com", maxAge = 3600)@RestController@RequestMapping("/account")public class AccountController { @RequestMapping("/{id}") public Account retrieve(@PathVariable Long id) { // ... } @RequestMapping(method = RequestMethod.DELETE, path = "/{id}") public void remove(@PathVariable Long id) { // ... }} 2. Use it in the method
@CrossOrigin(maxAge = 3600)@RestController@RequestMapping("/account")public class AccountController { @CrossOrigin("http://domain2.com") @RequestMapping("/{id}") public Account retrieve(@PathVariable Long id) { // ... } @RequestMapping(method = RequestMethod.DELETE, path = "/{id}") public void remove(@PathVariable Long id) { // ... }}Another method:
The main purpose of CorsFilter is to add relevant information headers, which can also be achieved using Filter.
@Configurationpublic class BeanConfiguration { @Bean public CorsFilter corsFilter() { final UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource(); final CorsConfiguration corsConfiguration = new CorsConfiguration(); corsConfiguration.setAllowedCredentials(true); corsConfiguration.addAllowedOrigin("*"); corsConfiguration.addAllowedHeader("*"); corsConfiguration.addAllowedMethod("*"); urlBasedCorsConfigurationSource.registerCorsConfiguration("/**", corsConfiguration); return new CorsFilter(urlBasedCorsConfigurationSource); }}Access-Control-Allow-Origin: The client domain name that is allowed to access, for example: http://web.xxx.com. If *, it means that it can be accessed from any domain, that is, no restrictions are required.
The above is all the content of this article. I hope it will be helpful to everyone's learning and I hope everyone will support Wulin.com more.