迁移到Spring Boot 2.0.x时,全局CORS配置中断 [英] Global CORS configuration breaks when migrating to Spring Boot 2.0.x
问题描述
为什么在Spring Boot 2.0.x(我的情况是2.0.1RELEASE)下,不再响应飞行前控制呼叫(OPTIONS)而发送访问控制允许凭据?这是我的Global CORS配置,在Spring Boot 1.5.6下可以正常工作:
Why is my 'Access-Control-Allow-Credentials' no longer being sent in response to preflight calls (OPTIONS) under Spring Boot 2.0.x (2.0.1.RELEASE in my case)? Here is my Global CORS Configuration that works fine under Spring Boot 1.5.6:
@Configuration
public class CorsConfig {
@Bean
public WebMvcConfigurer corsConfigurer() {
return new WebMvcConfigurerAdapter() {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins(
"http://localhost:3000",..)
.allowedMethods("GET", "POST", "PUT", "DELETE", "HEAD");
}
};
}}
我对pom的依赖(我在做我自己的安全性并避免使用Spring Security) :
My pom dependencies (I am doing my own security and avoiding Spring Security):
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
我对REST端点的服务调用在预检前失败:
My service call to the REST endpoints fails the preflight:
无法加载 http:// localhost:8080 / api / v5 / sec / auth :对预检请求的响应未通过访问控制检查:响应中 Access-Control-Allow-Credentials标头的值为,必须为'true'当请求的凭据模式为包含时。因此,不允许访问源' http:// localhost:3000 。
Failed to load http://localhost:8080/api/v5/sec/auth: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'. Origin 'http://localhost:3000' is therefore not allowed access.
我已经验证了在Spring Boot 1.5.6的情况下确实存在 Access-Control-Allow-Credentials标头,而在Spring Boot 2.0.1下却不存在。
I have verified that 'Access-Control-Allow-Credentials' header is indeed present in the case of Spring Boot 1.5.6 and missing under Spring Boot 2.0.1.
我能找到的所有文档,包括spring.io上的最新文档在此说,即使WebMvcConfigurerAdapter现在似乎已被弃用,我的全局配置仍然正确。
All the documentation I can find, including the latest on spring.io here, says my global configuration is still correct, even though WebMvcConfigurerAdapter appears to be deprecated now.
更新:
以下是迁移前后的响应标头:
Here are the response headers before and after the migrate:
迁移之前(Spring Boot 1.5.6):
Before Migrate (Spring Boot 1.5.6):
访问权限- Control-Allow-Credentials:true
Access-Control-Allow-Origin: http:// localhost:3000
公司ntent-Type:application / json; charset = UTF-8
日期:Day,dd Mon yyyy hh:mm:ss GMT
传输编码:块状
变动:来源
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:3000
Content-Type: application/json;charset=UTF-8
Date: Day, dd Mon yyyy hh:mm:ss GMT
Transfer-Encoding: chunked
Vary: Origin
迁移后(Spring Boot 2.0.1-缺少Access-Control-Allow-Credentials标头,但其他更改了) /添加):
After Migrate (Spring Boot 2.0.1 - Access-Control-Allow-Credentials header missing, but others changed/added):
访问控制允许标题:content-type
访问控制允许-方法:GET,HEAD,POST <-我指定的方法被忽略
Access-Control-Allow-Origin:* <-我指定的原点已忽略
访问控制最大年龄:1800
内容长度:0
日期:日,dd周一yyyy hh:mm:ss GMT
变量:Origin
变量:访问控制请求方法
变量: Access-Control-Request-Headers
Access-Control-Allow-Headers: content-type
Access-Control-Allow-Methods: GET,HEAD,POST <-- My specified methods ignored
Access-Control-Allow-Origin: * <-- My specified origin ignored
Access-Control-Max-Age: 1800
Content-Length: 0
Date: Day, dd Mon yyyy hh:mm:ss GMT
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
推荐答案
Spring文档和许多示例都没有提供但是答案很简单。我只是在CorsRegistry上看到了allowCredentials()方法,并向注册表方法链中添加了.allowCredentials(true),并重新添加了Access-Control-Allow-Credentials标头。
This was missing from the Spring doc and many examples but the answer was very easy. I just saw the allowCredentials() method on CorsRegistry and added .allowCredentials(true) to the registry method chain and that added the Access-Control-Allow-Credentials header back in.
此外,我不再使用不推荐使用的WebMvcConfigurerAdapter,而是现在实现WebMvcConfigurer并重写addCorsMappings()方法。
Also, I no longer use the deprecated WebMvcConfigurerAdapter, but now implement WebMvcConfigurer and override the addCorsMappings() method.
@Configuration
public class CorsConfig implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins(
"http://localhost:3000",..)
.allowedMethods("GET", "POST", "PUT", "DELETE", "HEAD")
.allowCredentials(true)
;
}
}
这篇关于迁移到Spring Boot 2.0.x时,全局CORS配置中断的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!