迁移到Spring Boot 2.0.x时，全局CORS配置中断 [英] Global CORS configuration breaks when migrating to Spring Boot 2.0.x

问题描述

为什么在Spring Boot 2.0.x（我的情况是2.0.1RELEASE）下，不再响应飞行前控制呼叫（OPTIONS）而发送访问控制允许凭据？这是我的Global CORS配置，在Spring Boot 1.5.6下可以正常工作：

Why is my 'Access-Control-Allow-Credentials' no longer being sent in response to preflight calls (OPTIONS) under Spring Boot 2.0.x (2.0.1.RELEASE in my case)? Here is my Global CORS Configuration that works fine under Spring Boot 1.5.6:

@Configuration
public class CorsConfig {

@Bean
public WebMvcConfigurer corsConfigurer() {
    return new WebMvcConfigurerAdapter() {
        @Override
        public void addCorsMappings(CorsRegistry registry) {
            registry.addMapping("/**")
                    .allowedOrigins(
                        "http://localhost:3000",..)
                    .allowedMethods("GET", "POST", "PUT", "DELETE", "HEAD");
        }
    };
}}

我对pom的依赖（我在做我自己的安全性并避免使用Spring Security） ：

My pom dependencies (I am doing my own security and avoiding Spring Security):

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-actuator</artifactId>
    </dependency>

我对REST端点的服务调用在预检前失败：

My service call to the REST endpoints fails the preflight:

无法加载 http：// localhost：8080 / api / v5 / sec / auth ：对预检请求的响应未通过访问控制检查：响应中 Access-Control-Allow-Credentials标头的值为，必须为'true'当请求的凭据模式为包含时。因此，不允许访问源' http：// localhost：3000 。

Failed to load http://localhost:8080/api/v5/sec/auth: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'. Origin 'http://localhost:3000' is therefore not allowed access.

我已经验证了在Spring Boot 1.5.6的情况下确实存在 Access-Control-Allow-Credentials标头，而在Spring Boot 2.0.1下却不存在。

I have verified that 'Access-Control-Allow-Credentials' header is indeed present in the case of Spring Boot 1.5.6 and missing under Spring Boot 2.0.1.

我能找到的所有文档，包括spring.io上的最新文档在此说，即使WebMvcConfigurerAdapter现在似乎已被弃用，我的全局配置仍然正确。

All the documentation I can find, including the latest on spring.io here, says my global configuration is still correct, even though WebMvcConfigurerAdapter appears to be deprecated now.

更新：

以下是迁移前后的响应标头：

Here are the response headers before and after the migrate:

迁移之前（Spring Boot 1.5.6）：

Before Migrate (Spring Boot 1.5.6):

访问权限- Control-Allow-Credentials：true

Access-Control-Allow-Origin： http：// localhost：3000

公司ntent-Type：application / json; charset = UTF-8

日期：Day，dd Mon yyyy hh：mm：ss GMT

传输编码：块状

变动：来源

Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:3000
Content-Type: application/json;charset=UTF-8
Date: Day, dd Mon yyyy hh:mm:ss GMT
Transfer-Encoding: chunked
Vary: Origin

迁移后（Spring Boot 2.0.1-缺少Access-Control-Allow-Credentials标头，但其他更改了） /添加）：

After Migrate (Spring Boot 2.0.1 - Access-Control-Allow-Credentials header missing, but others changed/added):

访问控制允许标题：content-type

访问控制允许-方法：GET，HEAD，POST <-我指定的方法被忽略

Access-Control-Allow-Origin：* <-我指定的原点已忽略

访问控制最大年龄：1800

内容长度：0

日期：日，dd周一yyyy hh：mm：ss GMT

变量：Origin

变量：访问控制请求方法

变量： Access-Control-Request-Headers

Access-Control-Allow-Headers: content-type
Access-Control-Allow-Methods: GET,HEAD,POST <-- My specified methods ignored
Access-Control-Allow-Origin: * <-- My specified origin ignored
Access-Control-Max-Age: 1800
Content-Length: 0
Date: Day, dd Mon yyyy hh:mm:ss GMT
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers

推荐答案

Spring文档和许多示例都没有提供但是答案很简单。我只是在CorsRegistry上看到了allowCredentials（）方法，并向注册表方法链中添加了.allowCredentials（true），并重新添加了Access-Control-Allow-Credentials标头。

This was missing from the Spring doc and many examples but the answer was very easy. I just saw the allowCredentials() method on CorsRegistry and added .allowCredentials(true) to the registry method chain and that added the Access-Control-Allow-Credentials header back in.

此外，我不再使用不推荐使用的WebMvcConfigurerAdapter，而是现在实现WebMvcConfigurer并重写addCorsMappings（）方法。

Also, I no longer use the deprecated WebMvcConfigurerAdapter, but now implement WebMvcConfigurer and override the addCorsMappings() method.

@Configuration
public class CorsConfig implements WebMvcConfigurer {

    @Override
    public void addCorsMappings(CorsRegistry registry) {

        registry.addMapping("/**")
                .allowedOrigins(
                        "http://localhost:3000",..)
                .allowedMethods("GET", "POST", "PUT", "DELETE", "HEAD")
                .allowCredentials(true)
        ;
    }

}

这篇关于迁移到Spring Boot 2.0.x时，全局CORS配置中断的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！