/** * Add an HTTP method to allow. */ public void addAllowedMethod(HttpMethod method) { addAllowedMethod(method.name()); }
/** * Add an HTTP method to allow. */ public void addAllowedMethod(HttpMethod method) { addAllowedMethod(method.name()); }
@Override @Nullable public CorsConfiguration getCorsConfiguration(HttpServletRequest request) { if (!this.suppressCors && CorsUtils.isCorsRequest(request)) { CorsConfiguration config = new CorsConfiguration(); config.setAllowedOrigins(new ArrayList<>(this.allowedOrigins)); config.addAllowedMethod("*"); config.setAllowCredentials(true); config.setMaxAge(ONE_YEAR); config.addAllowedHeader("*"); return config; } return null; }
private CorsConfiguration buildConfig() { CorsConfiguration corsConfiguration = new CorsConfiguration(); corsConfiguration.addAllowedOrigin("*"); // 1 设置访问源地址 corsConfiguration.addAllowedHeader("*"); // 2 设置访问源请求头 corsConfiguration.addAllowedMethod("*"); // 3 设置访问源请求方法 return corsConfiguration; }
@Configuration public class RestConfiguration { @Bean public CorsFilter corsFilter() { UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); CorsConfiguration config = new CorsConfiguration(); config.setAllowCredentials(true); // you USUALLY want this config.addAllowedOrigin("*"); config.addAllowedHeader("*"); config.addAllowedMethod("GET"); config.addAllowedMethod("PUT"); source.registerCorsConfiguration("/**", config); return new CorsFilter(source); } }
@Test public void checkMethodAllowed() { CorsConfiguration config = new CorsConfiguration(); assertEquals(Arrays.asList(HttpMethod.GET, HttpMethod.HEAD), config.checkHttpMethod(HttpMethod.GET)); config.addAllowedMethod("GET"); assertEquals(Arrays.asList(HttpMethod.GET), config.checkHttpMethod(HttpMethod.GET)); config.addAllowedMethod("POST"); assertEquals(Arrays.asList(HttpMethod.GET, HttpMethod.POST), config.checkHttpMethod(HttpMethod.GET)); assertEquals(Arrays.asList(HttpMethod.GET, HttpMethod.POST), config.checkHttpMethod(HttpMethod.POST)); }
config.addAllowedMethod(method.name());
/** * 允许跨域调用的过滤器 */ @Bean public CorsFilter corsFilter() { UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); config.setAllowCredentials(true); config.addAllowedHeader("*"); config.addAllowedMethod("*"); source.registerCorsConfiguration("/**", config); FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source)); bean.setOrder(0); return new CorsFilter(source); } }
config.addAllowedMethod(method.name());
@Override protected CorsConfiguration initCorsConfiguration(Object handler, Method method, RequestMappingInfo mappingInfo) { HandlerMethod handlerMethod = createHandlerMethod(handler, method); Class<?> beanType = handlerMethod.getBeanType(); CrossOrigin typeAnnotation = AnnotatedElementUtils.findMergedAnnotation(beanType, CrossOrigin.class); CrossOrigin methodAnnotation = AnnotatedElementUtils.findMergedAnnotation(method, CrossOrigin.class); if (typeAnnotation == null && methodAnnotation == null) { return null; } CorsConfiguration config = new CorsConfiguration(); updateCorsConfig(config, typeAnnotation); updateCorsConfig(config, methodAnnotation); if (CollectionUtils.isEmpty(config.getAllowedMethods())) { for (RequestMethod allowedMethod : mappingInfo.getMethodsCondition().getMethods()) { config.addAllowedMethod(allowedMethod.name()); } } return config.applyPermitDefaultValues(); }
@Override protected CorsConfiguration initCorsConfiguration(Object handler, Method method, RequestMappingInfo mappingInfo) { HandlerMethod handlerMethod = createHandlerMethod(handler, method); Class<?> beanType = handlerMethod.getBeanType(); CrossOrigin typeAnnotation = AnnotatedElementUtils.findMergedAnnotation(beanType, CrossOrigin.class); CrossOrigin methodAnnotation = AnnotatedElementUtils.findMergedAnnotation(method, CrossOrigin.class); if (typeAnnotation == null && methodAnnotation == null) { return null; } CorsConfiguration config = new CorsConfiguration(); updateCorsConfig(config, typeAnnotation); updateCorsConfig(config, methodAnnotation); if (CollectionUtils.isEmpty(config.getAllowedMethods())) { for (RequestMethod allowedMethod : mappingInfo.getMethodsCondition().getMethods()) { config.addAllowedMethod(allowedMethod.name()); } } return config.applyPermitDefaultValues(); }
@Test // SPR-15772 public void changePermitDefaultValues() { CorsConfiguration config = new CorsConfiguration().applyPermitDefaultValues(); config.addAllowedOrigin("http://domain.com"); config.addAllowedHeader("header1"); config.addAllowedMethod("PATCH"); assertEquals(Arrays.asList("*", "http://domain.com"), config.getAllowedOrigins()); assertEquals(Arrays.asList("*", "header1"), config.getAllowedHeaders()); assertEquals(Arrays.asList("GET", "HEAD", "POST", "PATCH"), config.getAllowedMethods()); }
@Test public void combineWithAsteriskWildCard() { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); config.addAllowedHeader("*"); config.addAllowedMethod("*"); CorsConfiguration other = new CorsConfiguration(); other.addAllowedOrigin("http://domain.com"); other.addAllowedHeader("header1"); other.addExposedHeader("header2"); other.addAllowedMethod(HttpMethod.PUT.name()); CorsConfiguration combinedConfig = config.combine(other); assertEquals(Arrays.asList("*"), combinedConfig.getAllowedOrigins()); assertEquals(Arrays.asList("*"), combinedConfig.getAllowedHeaders()); assertEquals(Arrays.asList("*"), combinedConfig.getAllowedMethods()); combinedConfig = other.combine(config); assertEquals(Arrays.asList("*"), combinedConfig.getAllowedOrigins()); assertEquals(Arrays.asList("*"), combinedConfig.getAllowedHeaders()); assertEquals(Arrays.asList("*"), combinedConfig.getAllowedMethods()); }
@Test public void setValues() { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); assertEquals(Arrays.asList("*"), config.getAllowedOrigins()); config.addAllowedHeader("*"); assertEquals(Arrays.asList("*"), config.getAllowedHeaders()); config.addAllowedMethod("*"); assertEquals(Arrays.asList("*"), config.getAllowedMethods()); config.addExposedHeader("header1"); config.addExposedHeader("header2"); assertEquals(Arrays.asList("header1", "header2"), config.getExposedHeaders()); config.setAllowCredentials(true); assertTrue(config.getAllowCredentials()); config.setMaxAge(123L); assertEquals(new Long(123), config.getMaxAge()); }
@Test // SPR-14792 public void combineWithDuplicatedElements() { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("http://domain1.com"); config.addAllowedOrigin("http://domain2.com"); config.addAllowedHeader("header1"); config.addAllowedHeader("header2"); config.addExposedHeader("header3"); config.addExposedHeader("header4"); config.addAllowedMethod(HttpMethod.GET.name()); config.addAllowedMethod(HttpMethod.PUT.name()); CorsConfiguration other = new CorsConfiguration(); other.addAllowedOrigin("http://domain1.com"); other.addAllowedHeader("header1"); other.addExposedHeader("header3"); other.addAllowedMethod(HttpMethod.GET.name()); CorsConfiguration combinedConfig = config.combine(other); assertEquals(Arrays.asList("http://domain1.com", "http://domain2.com"), combinedConfig.getAllowedOrigins()); assertEquals(Arrays.asList("header1", "header2"), combinedConfig.getAllowedHeaders()); assertEquals(Arrays.asList("header3", "header4"), combinedConfig.getExposedHeaders()); assertEquals(Arrays.asList(HttpMethod.GET.name(), HttpMethod.PUT.name()), combinedConfig.getAllowedMethods()); }
@Test public void combineWithNullProperties() { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); config.addAllowedHeader("header1"); config.addExposedHeader("header3"); config.addAllowedMethod(HttpMethod.GET.name()); config.setMaxAge(123L); config.setAllowCredentials(true); CorsConfiguration other = new CorsConfiguration(); config = config.combine(other); assertEquals(Arrays.asList("*"), config.getAllowedOrigins()); assertEquals(Arrays.asList("header1"), config.getAllowedHeaders()); assertEquals(Arrays.asList("header3"), config.getExposedHeaders()); assertEquals(Arrays.asList(HttpMethod.GET.name()), config.getAllowedMethods()); assertEquals(new Long(123), config.getMaxAge()); assertTrue(config.getAllowCredentials()); }
@Test public void combine() { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("http://domain1.com"); config.addAllowedHeader("header1"); config.addExposedHeader("header3"); config.addAllowedMethod(HttpMethod.GET.name()); config.setMaxAge(123L); config.setAllowCredentials(true); CorsConfiguration other = new CorsConfiguration(); other.addAllowedOrigin("http://domain2.com"); other.addAllowedHeader("header2"); other.addExposedHeader("header4"); other.addAllowedMethod(HttpMethod.PUT.name()); other.setMaxAge(456L); other.setAllowCredentials(false); config = config.combine(other); assertEquals(Arrays.asList("http://domain1.com", "http://domain2.com"), config.getAllowedOrigins()); assertEquals(Arrays.asList("header1", "header2"), config.getAllowedHeaders()); assertEquals(Arrays.asList("header3", "header4"), config.getExposedHeaders()); assertEquals(Arrays.asList(HttpMethod.GET.name(), HttpMethod.PUT.name()), config.getAllowedMethods()); assertEquals(new Long(456), config.getMaxAge()); assertFalse(config.getAllowCredentials()); }
@Test // SPR-15772 public void combineWithDefaultPermitValues() { CorsConfiguration config = new CorsConfiguration().applyPermitDefaultValues(); CorsConfiguration other = new CorsConfiguration(); other.addAllowedOrigin("http://domain.com"); other.addAllowedHeader("header1"); other.addAllowedMethod(HttpMethod.PUT.name()); CorsConfiguration combinedConfig = config.combine(other); assertEquals(Arrays.asList("http://domain.com"), combinedConfig.getAllowedOrigins()); assertEquals(Arrays.asList("header1"), combinedConfig.getAllowedHeaders()); assertEquals(Arrays.asList(HttpMethod.PUT.name()), combinedConfig.getAllowedMethods()); combinedConfig = other.combine(config); assertEquals(Arrays.asList("http://domain.com"), combinedConfig.getAllowedOrigins()); assertEquals(Arrays.asList("header1"), combinedConfig.getAllowedHeaders()); assertEquals(Arrays.asList(HttpMethod.PUT.name()), combinedConfig.getAllowedMethods()); combinedConfig = config.combine(new CorsConfiguration()); assertEquals(Arrays.asList("*"), config.getAllowedOrigins()); assertEquals(Arrays.asList("*"), config.getAllowedHeaders()); assertEquals(Arrays.asList(HttpMethod.GET.name(), HttpMethod.HEAD.name(), HttpMethod.POST.name()), combinedConfig.getAllowedMethods()); combinedConfig = new CorsConfiguration().combine(config); assertEquals(Arrays.asList("*"), config.getAllowedOrigins()); assertEquals(Arrays.asList("*"), config.getAllowedHeaders()); assertEquals(Arrays.asList(HttpMethod.GET.name(), HttpMethod.HEAD.name(), HttpMethod.POST.name()), combinedConfig.getAllowedMethods()); }
@Test public void preflightRequestValidRequestAndConfig() throws Exception { this.request.setMethod(HttpMethod.OPTIONS.name()); this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com"); this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET"); this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1"); this.conf.addAllowedOrigin("*"); this.conf.addAllowedMethod("GET"); this.conf.addAllowedMethod("PUT"); this.conf.addAllowedHeader("header1"); this.conf.addAllowedHeader("header2"); this.processor.processRequest(this.conf, this.request, this.response); assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)); assertEquals("*", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)); assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS)); assertEquals("GET,PUT", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS)); assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE)); assertThat(this.response.getHeaders(HttpHeaders.VARY), contains(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS)); assertEquals(HttpServletResponse.SC_OK, this.response.getStatus()); }
@Test public void preflightRequestValidRequestAndConfig() throws Exception { ServerWebExchange exchange = MockServerWebExchange.from(preFlightRequest() .header(ACCESS_CONTROL_REQUEST_METHOD, "GET") .header(ACCESS_CONTROL_REQUEST_HEADERS, "Header1")); this.conf.addAllowedOrigin("*"); this.conf.addAllowedMethod("GET"); this.conf.addAllowedMethod("PUT"); this.conf.addAllowedHeader("header1"); this.conf.addAllowedHeader("header2"); this.processor.process(this.conf, exchange); ServerHttpResponse response = exchange.getResponse(); assertTrue(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN)); assertEquals("*", response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN)); assertTrue(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS)); assertEquals("GET,PUT", response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS)); assertFalse(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_MAX_AGE)); assertThat(response.getHeaders().get(VARY), contains(ORIGIN, ACCESS_CONTROL_REQUEST_METHOD, ACCESS_CONTROL_REQUEST_HEADERS)); assertNull(response.getStatusCode()); }