我使用 Spring Boot 2 和 REST API 制作了一些 Web 项目。我有两个项目,一个是rest API,另一个是调用rest API的Web项目。我已经在使用 @CrossOrigin(origins = "*")
。所以,它在 Controller 类中运行良好。
但是,当我向其他 Controller 类调用请求时,chrome 将其打印给我,从源“http://localhost:8081”访问“http://localhost:8080/signout/1234”处的 XMLHttpRequest ' 已被 CORS 策略阻止:对预检请求的响应未通过访问控制检查:它没有 HTTP 正常状态。
。我该如何解决这个问题?
这是我的工作 Controller 类。盲区没有其他特别之处:
@CrossOrigin(origins = "*")
@RestController
@RequestMapping("/admin")
public class AdminController {
...
@PutMapping("/users")
public User updateUser(@Valid @RequestBody User updatedUser) throws ResourceNotFoundException {
User savedUser = userRepository.findByUsername(updatedUser.getUsername());
savedUser.setPassword(updatedUser.getPassword());
savedUser = userRepository.save(savedUser);
return savedUser;
}
...
}
这是工作ajax:
var xmlHttp = new XMLHttpRequest();
xmlHttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200){
...
} else if (this.status == 500) {
alert(this.responseText);
}
}
var json = JSON.stringify(param);
xmlHttp.open("POST", mainurl+"admin/role", false);
xmlHttp.setRequestHeader("Content-type", "application/json; charset=utf-8");
xmlHttp.send(json);
这不是工作 Controller 。起初我只是使用`@CrossOrigin(origins = "*")。
//@CrossOrigin(origins = "http://localhost:8081", allowedHeaders = "*")
@CrossOrigin(origins = "*", allowCredentials = "true", methods = {RequestMethod.GET, RequestMethod.POST, RequestMethod.PUT, RequestMethod.DELETE})
@RestController
@RequestMapping("/")
public class UserController {
...
}
这不适用于 JWT 的 ajax。
$.ajax({
type: "DELETE",
url: "http://localhost:8080/signout/"+username,
async: true,
// crossDomain: true,
beforeSend: function (xhr) {
xhr.setRequestHeader("Authorization", 'Bearer '+ "${token}");
},
success: function(result, status, xhr){
//service 표시
},
error: function(xhr, status, err) {
alert(xhr.responseText);
}
});
// var xmlHttp = new XMLHttpRequest();
// xmlHttp.onreadystatechange = function() {
// if (this.readyState == 4 && this.status == 200){
// location.href=window.location.protocol + "//" + window.location.host + "/sso_ui/";
// } else if (this.status == 500) {
// alert(this.responseText);
// }
// }
// xmlHttp.open("DELETE", "http://localhost:8080/signout/"+username, false);
// xmlHttp.setRequestHeader("Content-type", "application/json; charset=utf-8");
// xmlHttp.setRequestHeader('Authorization', 'Bearer ' + "${token}");
// xmlHttp.send();
如何解决这个问题?
最佳答案
选项 1: 添加 RequestMethod.OPTIONS
@CrossOrigin(origins = "*", allowCredentials = "true", methods = {RequestMethod.OPTIONS, RequestMethod.GET, RequestMethod.POST, RequestMethod.PUT, RequestMethod.DELETE})
为什么选择选项?
此飞行前请求 (RequestMethod.OPTIONS) 是由某些浏览器作为安全措施发出的,以确保正在执行的请求受到服务器的信任。这意味着服务器知道根据请求发送的方法、来源和 header 可以安全地执行操作。
<小时/>选项 2:CORS 的 WebConfig
您可以为 CORS 源配置创建一个 WebConfig 类,这样我们就不需要在每个 Controller 上编写 @CrossOrigin
。
WebConfig.java
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@Configuration
@EnableWebMvc
public class WebConfig implements Filter,WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**");
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) {
HttpServletResponse response = (HttpServletResponse) res;
HttpServletRequest request = (HttpServletRequest) req;
System.out.println("WebConfig; "+request.getRequestURI());
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Allow-Headers", "Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With,observe");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Expose-Headers", "Authorization");
response.addHeader("Access-Control-Expose-Headers", "USERID");
response.addHeader("Access-Control-Expose-Headers", "ROLE");
response.addHeader("Access-Control-Expose-Headers", "responseType");
response.addHeader("Access-Control-Expose-Headers", "observe");
System.out.println("Request Method: "+request.getMethod());
if (!(request.getMethod().equalsIgnoreCase("OPTIONS"))) {
try {
chain.doFilter(req, res);
} catch(Exception e) {
e.printStackTrace();
}
} else {
System.out.println("Pre-flight");
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "POST,GET,DELETE,PUT");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "Access-Control-Expose-Headers"+"Authorization, content-type," +
"USERID"+"ROLE"+
"access-control-request-headers,access-control-request-method,accept,origin,authorization,x-requested-with,responseType,observe");
response.setStatus(HttpServletResponse.SC_OK);
}
}
}
关于javascript - CORS 策略阻止 localhost,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/56931810/