12-SpringBoot Cross-domain Problem

1. Overview

1. What is Cross-Domain Request (CORS)

Cross-domain requests means that when a browser executes an ajax request for a script file, the service address of the script file is different from the service address requested.**To put it plainly, when the ip, network protocol and port are the same, they are the same domain, otherwise they are cross-domain.** This is due to Netscape's well-known security policy, Homology, which is a security restriction imposed by browsers on JavaScript.It is a measure to prevent scripts from maliciously attacking the server from outside the network.

2. Judging Cross-Domain

The same protocol, the same ip, the same port, one of the three different results in cross-domain.

The following are cross-domain requests:

Cross-domain problem description Example
Domain name is different Http://
Ports are different andHttp://
Network protocols are different (https and http) Http://

If the protocol, domain name, and port are all the same, but the request paths are different, this is not a cross-domain problem: and

3. Cross-domain Solutions

Front End Solutions:

  1. Implement cross-domain calls using JSONP.
  2. Using NodeJS server as server proxy, the front-end sends requests to NodeJS server, and the NodeJS server proxy forwards requests to the back-end server.
  3. Setting up a browser allows cross-domain access, such as the Chrome browser settings--disable-web-security property, which is only applicable for development debugging in a development environment.

Backend solution:

  1. The server sets Acess-Control-Allow-Origin for Response Header (which can be set using Filter in development).
  2. Set up classes and methods that require cross-domain access to allow cross-domain access (such as using the @CrossOrigin annotation in Spring).
  3. Inherit CorsFilter using Spring Web (for Spring MVC, SpringBoot).
  4. Implement the WebMvcConfigurer interface (for SpringBoot).

2. Cross-domain configuration of Spring Boot

1. Configure using Filter

Use a Filter to Filter requests, and set the Acess-Control-Allow-Origin property declaration of the Rsponse Header (Response Header) to the requester to allow cross-domain access.

import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class CorsFilter implements Filter {
    public void init(FilterConfig filterConfig) throws ServletException {


    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest)servletRequest;
        HttpServletResponse response = (HttpServletResponse) servletResponse;
        //Set up all domain name access
        //Set Send Cookie Information
        //Set which original domains are released (request mode)
        //Set the validity period for the specified pre-check request in seconds during which no further pre-check request will be issued
        //Set which original fields are released (header information)
        response.setHeader("Access-Control-Allow-Headers","Origin, X-Requested-With, Content-Type, Accept,cmreqeust,cnreqeust,token");

    public void destroy() {


Access-Control-Max-Age value description:

The browser's homology policy is to restrict cross-domain HTTP requests initiated from scripts for security reasons (e.g. asynchronous requests GET, POST, PUT, DELETE,OPTIONS, etc.), so the browser makes two requests to the requested server, the first one is that the browser initiates a preview request using the OPTIONS method, the second is really asynchronous, the first one is that the server knows whether to allow the cross-domain request: if allowed, the second real request is initiated; if not, the second request is interceptedRequest.

2. Configure with the @CrossOrigin annotation

Use the @CrossOrigin annotation to declare classes and methods to allow cross-domain access (added to Controller)

public class UserController {
    private UserService userServiceImpl;

    public Results getList(@RequestBody ListReqDto model){
        IPage<ExchangeCouponModel> list = userServiceImpl.getExchangeCouponList(model);
        Results results = Results.success(list);
        return results;
3. Inherit using CorsFilter configuration in Spring Web
import org.springframework.stereotype.Component;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
import java.util.Arrays;

public class CustomCorsFilter extends CorsFilter {
    public CustomCorsFilter(CorsConfigurationSource configSource) {

    private static UrlBasedCorsConfigurationSource configurationSource(){
        CorsConfiguration config = new CorsConfiguration();
        //Set send cookie information
        //Set up all domain name access
        //Set free those original domains
        //Set the validity period for the specified pre-check request
        //Set which original domains are released (request mode)
        //Register CORS filter
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        //Configure Accessible Configurations
        return source;
4. Implement WebMvcConfigurer interface

The WebMvcConfigurerAdaper class is obsolete in Springboot version 2.0 and can be implemented by implementing the WebConfigurer interface.

import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

public class CorsConfig implements WebMvcConfigurer {
    //Override the interface provided by the parent class for cross-domain request processing
    public void addCorsMappings(CorsRegistry registry) {
        //Add Mapping Path
                //Release those original domains
                //Whether to send Cookie information
                //Which original domains are released (request method)
                //Rest assured of which original domains (header information)
                //Expose which header information (because cross-domain access does not get all header information by default)
                //Set the validity period for the specified pre-check request

Tags: Spring network SpringBoot Java

Posted on Thu, 11 Jun 2020 23:19:37 -0400 by chawezul