java - 如何修复对预检请求的响应未通过访问控制检查:没有“Access-Control-Allow-Origin”?
问题描述
我总是在前端遇到这种情况,说从源 'localhost://2800/api/abc/xyz' 访问 XMLHttpRequest 在 'api/abc/xyz' 已被 CORS 策略阻止:对预检请求的响应未通过访问控制检查:请求的资源上不存在“Access-Control-Allow-Origin”标头。
我尝试将此添加到后端`
http.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS).permitAll()
.anyRequest().authenticated();
`
和我的前端 AJAX CALL API:`
$.ajax({
'type': 'GET',
'url': '/api/vessel/?vesselId=' + $('#vessel_id').val() + '&page=1&size=100',
'headers': {
"Content-Type": "application/json",
"Accept": "application/json",
"Authorization": `Bearer ${session}`
},
success: function(response) {console.log(response)}
});
`
但在那之后我仍然遇到那个错误。
`
@Override
protected void configure(HttpSecurity http) throws Exception {
// Disable CSRF (cross site request forgery)
http.csrf().disable();
// No session will be created or used by spring security
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// Entry points
http.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS).permitAll()
// Disallow everything else..
.anyRequest().authenticated();
// If a user try to access a resource without having enough permissions
//http.exceptionHandling().accessDeniedPage("/login");
// Apply JWT
http.apply(new JwtTokenFilterConfigurer(jwtTokenProvider));
// Optional, if you want to test the API from a browser
// http.httpBasic();
}
`
解决方案
您必须配置 CORS 配置。在您的项目中添加以下类。您可以根据您的要求更改此设置。
WebConfig.java
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
@Configuration
@EnableWebMvc
public class WebConfig implements Filter {
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) {
HttpServletResponse response = (HttpServletResponse) res;
HttpServletRequest request = (HttpServletRequest) req;
System.out.println("WebConfig; "+request.getRequestURI());
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Allow-Headers", "Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With,observe");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Expose-Headers", "Authorization");
response.addHeader("Access-Control-Expose-Headers", "responseType");
response.addHeader("Access-Control-Expose-Headers", "observe");
System.out.println("Request Method: "+request.getMethod());
if (!(request.getMethod().equalsIgnoreCase("OPTIONS"))) {
try {
chain.doFilter(req, res);
} catch(Exception e) {
e.printStackTrace();
}
} else {
System.out.println("Pre-flight");
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "POST,GET,DELETE,PUT");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "Access-Control-Expose-Headers"+"Authorization, content-type,"+
"access-control-request-headers,access-control-request-method,accept,origin,authorization,x-requested-with,responseType,observe");
response.setStatus(HttpServletResponse.SC_OK);
}
}
}
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers(HttpMethod.OPTIONS,"/**");
//URL you want to ignore
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// Disable CSRF (cross site request forgery)
http.csrf().disable();
// No session will be created or used by spring security
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// Entry points
http.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS,"/**").permitAll()
// Disallow everything else..
.anyRequest().authenticated();
// If a user try to access a resource without having enough permissions
//http.exceptionHandling().accessDeniedPage("/login");
// Apply JWT
http.apply(new JwtTokenFilterConfigurer(jwtTokenProvider));
// Optional, if you want to test the API from a browser
// http.httpBasic();
}
推荐阅读
- flutter - 在列表视图中使用 CachedVideoPlayer
- javascript - 使用 async 而不是多个 await (Javascript)
- python - 在 filedialog 或 tkinter 小部件之后如何将焦点重新回到 cmd 或终端
- shell - 如何在unix目录中找到文件组合?
- android - 回收站视图仅显示一项而不是三项
- ms-access - 条件累积
- c# - 我写了一个计算器。一切正常,但是当我想使用点“。” 对于小数,它会跳出来。我不明白出了什么问题
- identityserver4 - 身份服务器 4. 令牌端点、密码授予。如何检查 acr_values?
- javascript - 静态导入三.js 入门报错
- python - 以日期为 X 轴的 Seaborn 条形图