我正在使用Spring Boot构建API服务。它使用Basic Auth进行身份验证。当客户端尝试连接到API时,他们将得到CORS错误.
在Spring Boot中抛出错误
. lang。当allowCredentials为true时,allowedOrigins不能包含特殊值"*"设置为"access - control - allow - origin";响应头。允许一组来源的凭据,明确列出它们或考虑使用"allowedOriginPatterns"相反。
我试着找到allowedOriginPatterns的例子用法,但尚未找到。即使是它的文件-https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/servlet/config/annotation/CorsRegistration.html#allowedOriginPatterns-java.lang.String…我仍然不知道什么是模式我必须放在config.allowedOriginPatterns();
下面是我的CorsFilter代码,@Configuration
public class RequestCorsFilter {
@Bean
public CorsFilter corsFilter() {
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.setAllowedOrigins(Collections.singletonList("*"));
config.setAllowedHeaders(Arrays.asList("Origin", "Content-Type", "Accept", "responseType", "Authorization"));
config.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "OPTIONS", "DELETE", "PATCH"));
source.registerCorsConfiguration("/**", config);
return new CorsFilter(source);
}
}
@Configuration
@EnableWebSecurity
public class AuthenConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
auth
.inMemoryAuthentication()
.withUser("thor").password("{noop}P@ssw00rd")
.authorities("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
String[] AUTH_WHITELIST = {
// -- swagger ui
"/v2/api-docs",
"/swagger-resources/**",
"/configuration/ui",
"/configuration/security",
"/swagger-ui.html",
"/webjars/**"
};
http
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers(AUTH_WHITELIST).permitAll() // whitelist URL permitted
.antMatchers("/api").authenticated(); // others need auth
}
}
用config.setAllowedOriginPatterns("*")代替config.setAllowedOrigins(Collections.singletonList("*"));
config.setAllowedOrigins(Collections.singletonList("*"));
这一行必须修改。您应该列出所有可以访问您的应用程序的服务器。
。您使用的是angular,所以前端的开发服务器是http://localhost:4200。您在生产中的服务器是https://you.server.domain.com
那么你的配置列表应该是这样的
config.setAllowedOrigins(List.of("http://localhost:4200","https://you.server.domain.com"));
如果项目使用4000端口,yml配置
allowedOrigins:
- "http://localhost:4000"
http://localhost:4000 replace *
spring文档:https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/#cors-configuration
当您想要使用通配符"*"在你的原点。
config.setAllowCredentials(true);
把它删掉
Q:allowCredentials为真,allowedOrigins不能包含特殊值,因为它不能
这可以帮助解决这个问题:https://chowdera.com/2022/03/202203082045152102.html
结算条件跨域配置错误,将。allowedorigins替换为。allowedoriginpatterns即可。@ configuration公共类CorsConfig {
private CorsConfiguration buildConfig() {
CorsConfiguration corsConfiguration = new CorsConfiguration();
//corsConfiguration.addAllowedOrigin("*");
// Cross domain configuration error , take .allowedOrigins Replace with .allowedOriginPatterns that will do .
// Set the domain name that allows cross domain requests
corsConfiguration.addAllowedOriginPattern("*");
corsConfiguration.addAllowedHeader("*");
// Set allowed methods
corsConfiguration.addAllowedMethod("*");
// Whether to allow certificates
corsConfiguration.setAllowCredentials(true);
// Cross domain allow time
corsConfiguration.setMaxAge(3600L);
return corsConfiguration;
}
@Bean
public CorsFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", buildConfig());
return new CorsFilter(source);
}
}如果通过实现WebMvcConfigurer的接口形式,修改如下:@ configuration公共类CorsConfig实现webmvcconfiger {
/** * Turn on cross domain */
@Override
public void addCorsMappings(CorsRegistry registry) {
// Set routes that allow cross domain routing
registry.addMapping("/**")
// Set the domain name that allows cross domain requests
//.allowedOrigins("*")
// Cross domain configuration error , take .allowedOrigins Replace with .allowedOriginPatterns that will do .
.allowedOriginPatterns("*")
// Whether to allow certificates (cookies)
.allowCredentials(true)
// Set allowed methods
.allowedMethods("*")
// Cross domain allow time
.maxAge(3600);
}
}