Configuring CORS
出于安全原因,浏览器禁止对位于当前源外部的资源进行 AJAX 调用。使用浏览器发出的客户端 HTTP 请求时,你希望启用对特定 HTTP 资源的访问。
For security reasons, browsers prohibit AJAX calls to resources residing outside the current origin. When working with client-side HTTP requests issued by a browser, you want to enable specific HTTP resources to be accessible.
Spring Data REST 2.6 及其以后版本支持 Cross-Origin Resource Sharing(CORS),通过 Spring’s CORS支持。
Spring Data REST, as of 2.6, supports Cross-Origin Resource Sharing (CORS) through Spring’s CORS support.
Repository Interface CORS Configuration
你可以向存储库接口添加一个 @CrossOrigin 注解,以针对整个存储库启用 CORS。默认情况下,@CrossOrigin 允许所有来源和 HTTP 方法。以下示例展示了一个跨源存储库接口定义:
You can add a @CrossOrigin annotation to your repository interfaces to enable CORS for the whole repository. By default, @CrossOrigin allows all origins and HTTP methods. The following example shows a cross-origin repository interface definition:
@CrossOrigin
interface PersonRepository extends CrudRepository<Person, Long> {}在前面的示例中,整个 PersonRepository 启用了 CORS 支持。@CrossOrigin 提供了一些属性来配置 CORS 支持,如下面的示例所示:
In the preceding example, CORS support is enabled for the whole PersonRepository. @CrossOrigin provides attributes to configure CORS support, as the following example shows:
@CrossOrigin(origins = "http://domain2.example",
methods = { RequestMethod.GET, RequestMethod.POST, RequestMethod.DELETE },
maxAge = 3600)
interface PersonRepository extends CrudRepository<Person, Long> {}前面的示例为整个 PersonRepository 启用了 CORS 支持,因为它提供了一个源,仅限于 GET、POST 和 DELETE 方法,并且最大生存期为 3600 秒。
The preceding example enables CORS support for the whole PersonRepository by providing one origin, restricted to the GET, POST, and DELETE methods and with a max age of 3600 seconds.
Repository REST Controller Method CORS Configuration
Spring Data REST 在共享资源库基路径的自定义 REST 控制器上完全支持 Spring Web MVC’s controller method configuration,如下面示例所示:
Spring Data REST fully supports Spring Web MVC’s controller method configuration on custom REST controllers that share repository base paths, as the following example shows:
@RepositoryRestController
public class PersonController {
@CrossOrigin(maxAge = 3600)
@RequestMapping(path = "/people/xml/{id}", method = RequestMethod.GET, produces = MediaType.APPLICATION_XML_VALUE)
public Person retrieve(@PathVariable Long id) {
// …
}
}|
使用 |
|
Controllers annotated with |
Global CORS Configuration
除了细粒度的基于注释的配置之外,你可能还希望定义一些全局 CORS 配置。这类似于 Spring Web MVC 的 CORS 配置,但是可以在 Spring Data REST 内声明并与细粒度的 @CrossOrigin 配置结合使用。在默认情况下,允许所有源以及 GET、HEAD 和 POST 方法。
In addition to fine-grained, annotation-based configuration, you probably want to define some global CORS configuration as well. This is similar to Spring Web MVC’S CORS configuration but can be declared within Spring Data REST and combined with fine-grained @CrossOrigin configuration. By default, all origins and GET, HEAD, and POST methods are allowed.
|
现有的 Spring Web MVC CORS 配置不会应用于 Spring Data REST。 |
|
Existing Spring Web MVC CORS configuration is not applied to Spring Data REST. |
以下示例设置了一个允许的源,添加了 PUT 和 DELETE HTTP 方法,添加并公开了一些标头,并将最大生存期设置了一小时:
The following example sets an allowed origin, adds the PUT and DELETE HTTP methods, adds and exposes some headers, and sets a maximum age of an hour:
@Component
public class SpringDataRestCustomization implements RepositoryRestConfigurer {
@Override
public void configureRepositoryRestConfiguration(RepositoryRestConfiguration config, CorsRegistry cors) {
cors.addMapping("/person/**")
.allowedOrigins("http://domain2.example")
.allowedMethods("PUT", "DELETE")
.allowedHeaders("header1", "header2", "header3")
.exposedHeaders("header1", "header2")
.allowCredentials(false).maxAge(3600);
}
}