Springboot-10-升级到-Springboot-20-CrossOrigin-跨域问题

38次阅读

共计 1739 个字符,预计需要花费 5 分钟才能阅读完成。

在 spring boot 1.5 中,配置跨域一般是直接在 controller 或是在某一个方法上添加 @CrossOrigin 注解即可,如下:

但是升级到 spring boot 2.0 版本(springframework5.0.2)后,浏览器会报错

查看 options 请求的响应可以看到 Access-Control-Allow-Origin 字段为 *

这里响应头中 Access-Control-Allow-Origin 必须为指定的域名,并且如果想要携带 cookie 信息还需要添加
Access-Control-Allow-Credentials: true

看一下 @CrossOrigin 源码

springframework4.3.12:

/**
 * Whether the browser should include any cookies associated with the
 * domain of the request being annotated.
 * <p>Set to {@code "false"} if such cookies should not included.
 * An empty string ({@code ""}) means <em>undefined</em>.
 * {@code "true"} means that the pre-flight response will include the header
 * {@code Access-Control-Allow-Credentials=true}.
 * <p>If undefined, credentials are allowed.
 */
String allowCredentials() default "";

springframework5.0.2

/**
 * Whether the browser should send credentials, such as cookies along with
 * cross domain requests, to the annotated endpoint. The configured value is
 * set on the {@code Access-Control-Allow-Credentials} response header of
 * preflight requests.
 * <p><strong>NOTE:</strong> Be aware that this option establishes a high
 * level of trust with the configured domains and also increases the surface
 * attack of the web application by exposing sensitive user-specific
 * information such as cookies and CSRF tokens.
 * <p>By default this is not set in which case the
 * {@code Access-Control-Allow-Credentials} header is also not set and
 * credentials are therefore not allowed.
 */
String allowCredentials() default "";

重点在这里 
By default this is not set in which case the {@code Access-Control-Allow-Credentials} header is also not set and credentials are therefore not allowed.

原因是 5.0.2 后,allowCredentials 默认为 false 了,再看 DefaultCorsProcessor

if (Boolean.TRUE.equals(config.getAllowCredentials())) {responseHeaders.setAccessControlAllowCredentials(true);
}

allowCredentials 为 true 时,返回的响应头 AccessControlAllowCredentials 属性才设置为 true,允许客户端携带验证消息。

解决办法:

在注解中设置 allowCredentials 为 true 即可。

响应如下:

正文完
 0