我试图禁用CORS,因为我得到以下错误:
从原点'https://localhost:3000'获取'https://localhost:9000/api/foo'的访问已被CORS策略阻止:对预飞行请求的响应未通过访问控制检查:请求的资源上不存在'Access- control - allow - origin '标头。如果不透明的响应满足您的需求,请将请求的模式设置为'no-cors'以获取禁用CORS的资源。加载资源失败:net::ERR_FAILED
我希望CORS仅在dev配置文件激活时禁用。我怎样才能做到这一点呢?
我已经试过了:
@Configuration
@EnableWebMvc
public class WebConfig implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("*")
.allowedMethods("GET", "POST", "PUT", "DELETE", "HEAD")
.allowCredentials(true)
.maxAge(3600);
}
}
我认为还有一个类与这个问题有关:
@EnableWebSecurity
public class WebSecurityConf extends WebSecurityConfigurerAdapter {
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration config = new CorsConfiguration();
config.setAllowedOrigins(Arrays.asList(
"https://example1.com:9000",
"https://example2.com:9000",
config.setAllowCredentials(true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/api/**", config);
return source;
}
}
用@Profile("dev")
:
@Configuration
@EnableWebMvc
@Profile("dev")
public class DevWebSecurityConfig implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("*")
.allowedMethods("GET", "POST", "PUT", "DELETE", "HEAD")
.allowCredentials(true)
.maxAge(3600);
}
}
测试:
class DevWebSecurityConfigTestConfigurationTest {
private static final ApplicationContextRunner runner = new ApplicationContextRunner()
.withConfiguration(AutoConfigurations.of(DevWebSecurityConfig));
@Test
void devProfileSet_devWebSecurityConfigActive() {
runner.withPropertyValues("spring.profiles.active=dev")
.run(context -> assertThat(context).hasSingleBean(DevWebSecurityConfig.class));
}
@ParameterizedTest
@ValueSource(strings = {"default", "prod"})
void devProfileNotSet_devWebSecurityConfigNotActive(final String profile) {
runner.withPropertyValues("spring.profiles.active=" + profile)
.run(context -> assertThat(context).doesNotHaveBean(DevWebSecurityConfig.class));
}
}
在示例代码中添加了一个CorsConfigurationSource
bean。对于这种方法,您可以根据配置文件声明两个bean:
@Profile("!dev")
@Bean
CorsConfigurationSource defaultCorsConfigurationSource() {
CorsConfiguration config = new CorsConfiguration();
config.setAllowedOrigins(Arrays.asList(
"https://example1.com:9000",
"https://example2.com:9000");
config.setAllowCredentials(true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/api/**", config);
return source;
}
@Profile("dev")
@Bean
CorsConfigurationSource devCorsConfigurationSource() {
CorsConfiguration config = new CorsConfiguration();
config.setAllowedOrigins(Arrays.asList("https://localhost.com:3000");
config.setAllowCredentials(true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/api/**", config);
return source;
}
可以对示例测试进行调整,以便您也可以使用bean名称(devCorsConfigurationSource
,defaultCorsConfigurationSource
)来断言bean是否存在。
你应该坚持一种方式:要么使用WebMvcConfigurer
的addCorsMappings
来配置它,要么使用CorsConfigurationSource
bean和HttpSecurity
上的.cors(withDefaults())
设置。