Spring Boot CORS配置

最新推荐文章于 2025-05-20 10:33:08 发布

嘿嘿不错

最新推荐文章于 2025-05-20 10:33:08 发布

阅读量5.6k

点赞数

CC 4.0 BY-SA版权

分类专栏： spring 文章标签： spring spring-boo cors

本文链接：https://blog.youkuaiyun.com/ACMer_AK/article/details/78960164

spring 专栏收录该内容

20 篇文章

订阅专栏

本文介绍了在Spring Boot中配置CORS的两种方法，包括不依赖额外包的配置和使用特定依赖包的设置，适用于不同场景的需求。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

不依赖`spring-boot-starter-security`包

  @Bean
  CorsConfigurationSource corsConfigurationSource() {
      CorsConfiguration configuration = new CorsConfiguration();
      configuration.setAllowedOrigins(Arrays.asList("http://localhost:63342"));
      configuration.setAllowedMethods(Arrays.asList("GET","POST", "PUT", "DELETE"));
      // 如果所有的属性不全部配置，一定要执行该方法
      configuration.applyPermitDefaultValues();

      UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
      source.registerCorsConfiguration("/**", configuration);
      return source;
  }

  @Bean
  CorsFilter corsFilter(CorsConfigurationSource corsConfigurationSource) {
      CorsFilter corsFilter = new CorsFilter(corsConfigurationSource);
      return corsFilter;
  }

依赖`spring-boot-starter-security`包

@SpringBootApplication
public class AuthorityManagementApplication extends WebSecurityConfigurerAdapter {
    public static void main(String[] args) {
        SpringApplication.run(AuthorityManagementApplication.class, args);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        /**
         * CORS 必须在Security之前处理
         * 原因：这个 pre-flight 请求不会包含任何cookies，如果请求不包括任何cookies和Security先处理的话，那么这个请求会被拒绝
         * 官方地址：https://docs.spring.io/spring-security/site/docs/5.0.0.RELEASE/reference/htmlsingle/#cors
         * CORS must be processed before Spring Security because the pre-flight request will not contain any cookies (i.e. the JSESSIONID).
         * If the request does not contain any cookies and Spring Security is first,
         * the request will determine the user is not authenticated (since there are no cookies in the request) and reject it.
         */
        http.cors();
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("http://localhost:63342"));
        configuration.setAllowedMethods(Arrays.asList("GET","POST", "PUT", "DELETE"));
        // 如果所有的属性不全部配置，一定要执行该方法
        configuration.applyPermitDefaultValues();

        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
}

在两种情况中，都可以

@SpringBootApplication
public class AuthorityManagementApplication extends WebMvcConfigurerAdapter {
    public static void main(String[] args) {
        SpringApplication.run(AuthorityManagementApplication.class, args);
    }

    @Override
    public void addCorsMappings(CorsRegistry registry) {
        super.addCorsMappings(registry);
        registry.addMapping("/**")
                .allowedOrigins("http://localhost:63342")
                .allowedMethods("GET","POST","PUT","DELETE");
        /**
         * 不用调用手动调用applyPermitDefaultValues()
         * 首先：创建CorsRegistration
         * public CorsRegistration addMapping(String pathPattern) {
         *     CorsRegistration registration = new CorsRegistration(pathPattern);
         *     this.registrations.add(registration);
         *     return registration;
         * }
         * 其次：构造函数中自动调用了applyPermitDefaultValues
         * public CorsRegistration(String pathPattern) {
         *     this.pathPattern = pathPattern;
         *     this.config = new CorsConfiguration().applyPermitDefaultValues();
         * }
         */
    }
}