所请求的资源上不存在“ Access-Control-Allow-Origin”标头（春季） [英] No 'Access-Control-Allow-Origin' header is present on the requested resource (Spring)

问题描述

我知道论坛上有很多关于此问题的话题，但是仍然没有找到解决方案。

I know there are a lot threads on the forum about this issue but still haven't figure out a solution.

因此，我在一个我的vps上的私有JVM / tomcat 8.5.30。一个是我的ROOT.war，另一个是admin.war，它们可以从 http://example.com 和 http://example.com/admin

So, I have deployed two applications in a private JVM/tomcat 8.5.30 on my vps. The one is my ROOT.war and the other one is the admin.war They were accesible from http://example.com and http://example.com/admin

在我安装ssl证书之前，一切正常。安装它并强制https重定向后，我的admin.war遇到了问题（现在它们都可以从 https：// example访问。 com 和 https://example.com/admin ）

Before I installed a ssl certificate everything worked fine. After installing it and forcing https redirect I am facing a problem with my admin.war (now they are both accesible from https://example.com and https://example.com/admin)

我的管理员使用很多jquery（我无法更改它），每次尝试提交某些内容时都会收到此错误

My admin works with a lot of jquery (I cannot change that) and I am getting this error every time I am trying to submit something

Access to XMLHttpRequest at 'http: //example.com/admin/add' from origin 'https: //example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

因此，我正在尝试通过Spring Security解决此问题。在我的安全配置中，我有

So I am trying to fix this via spring security. In my security configuration I have

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class SiteSecurityConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
    .cors().and()
         //.....
         }


  @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
        configuration.setAllowedHeaders(Arrays.asList("Access-Control-Allow-Headers"));
        configuration.addExposedHeader("Access-Control-Allow-Headers");
        configuration.setAllowedMethods(Arrays.asList("POST"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
}

我同时为我的root应用程序和管理员执行此操作应用程序（我不知道对他们两个来说是否正确）。仍然无效。

I do this for both my root app and my admin app ( I don't know if that's correct to do it for both of them). Still doesn't work.

有什么帮助吗？

谢谢！

推荐答案

如果看到错误

'http://example.com/admin/add' from origin 'https://example.com' has been blocked

有2个问题

1我想您的 / add API调用未重定向到https。理想情况下，它应该是 https://example.com/admin/add 或您解决此问题

1 I guess your /add API call is not getting redirected to https. Ideally it should be https://example.com/admin/add Either you resolve this

或

2将Admin App中的 setAllowedOrigins 更改为http

2 Change setAllowedOrigins in your Admin App to http as well like this

@Bean
CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Arrays.asList("https://example.com", "http://example.com"));
    configuration.setAllowedHeaders(Arrays.asList("Access-Control-Allow-Headers"));
    configuration.addExposedHeader("Access-Control-Allow-Headers");
    configuration.setAllowedMethods(Arrays.asList("POST"));
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}

这篇关于所请求的资源上不存在“ Access-Control-Allow-Origin”标头（春季）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！