如CORS preflight request fails due to a standard header所述,如果您发送请求到OPTIONS端点并设置了Origin和Access-Control-Request-Method标头,那么它们将被Spring框架拦截,并且您的方法不会被执行。可接受的解决方案是使用@CrossOrigin注释来阻止Spring返回403。但是,我使用Swagger Codegen生成了我的API代码,因此我只是想禁用此功能并手动实施我的OPTIONS响应。你能完全禁用Spring中的CORS支持吗?
那么你能否在春季禁用CORS拦截?
尝试添加以下过滤器(对于你自己支持的需求和方法,你可以自定义):
@Component
public class CorsFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response,
final FilterChain filterChain) throws ServletException, IOException {
response.addHeader("Access-Control-Allow-Origin", "*");
response.addHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, PUT, PATCH, HEAD");
response.addHeader("Access-Control-Allow-Headers", "Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers");
response.addHeader("Access-Control-Expose-Headers", "Access-Control-Allow-Origin, Access-Control-Allow-Credentials");
response.addHeader("Access-Control-Allow-Credentials", "true");
response.addIntHeader("Access-Control-Max-Age", 10);
filterChain.doFilter(request, response);
}
}
从他们documentation:
如果使用了Spring Web MVC
@Configuration
@EnableWebMvc
public class WebConfig extends WebMvcConfigurerAdapter {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedMethods("HEAD", "GET", "PUT", "POST", "DELETE", "PATCH");
}
}
如果您使用的是Spring Boot:
@Configuration
public class MyConfiguration {
@Bean
public WebMvcConfigurer corsConfigurer() {
return new WebMvcConfigurerAdapter() {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedMethods("HEAD", "GET", "PUT", "POST", "DELETE", "PATCH");
}
};
}
}
Yuriy Yunikov的答案也是正确的。但我不喜欢“自定义”过滤器。
如果您有Spring Web Security导致您遇到问题。检查this SO答案。