Cross domain introduction of spring MVC and CORS

Java

1. Introduction to CORS

The same origin policy is the cornerstone of browser security. Under the restriction of the same origin policy, AJAX requests cannot be sent between non homologous websites.

To solve this problem, W3C proposes cross origin resource sharing (CORS).

CORS does two things:

Based on these two points, CORS divides requests into two categories: simple requests and non simple requests.

1.1 simple request

Let's take a look at the situation before CORS: when cross source, you can trigger a get request through a script or image tag or send a post request through a form, but neither of these requests can contain any custom fields in the HTTP header information.

The simple request corresponds to the rule, so the definition of the simple request is:

The request method is head, get or post, and the HTTP header information does not exceed the following fields: accept, accept language, content language, last event ID and content type (only limited to application / x-www-form-urlencoded, multipart / form data and text / plain).

For example, there is a simple request:

For such a simple request, CORS's policy is to * * add an origin field * * in the header information when requesting. After receiving the request, the server determines whether to allow the request according to this field.

The browser gets the returned result before the user, and determines whether to intercept the returned result according to whether there is access control allow origin field.

For some services before CORS, the impact of CORS on them can be divided into two cases:

It can be seen that the emergence of CORS has no impact on the "old" services.

In addition, in addition to the access control allow origin mentioned above, there are several fields to describe the results returned by CORS:

1.2 non simple request

Requests other than simple requests are non simple requests.

For cross source requests that are not simple requests, * * the browser will add an option request * * before the real request is sent, which is called a preflight request. The preflight request adds the information of the real request, including the request method, custom header field and source information, to the HTTP header field, and asks the server whether to allow such operations.

For example, for delete requests:

Fields related to CORS are:

When the server receives the request, it needs to verify origin, access control request method and access control request headers respectively. After the verification is passed, it will add the following information to the returned HTTP header

They mean:

When the pre check request passes, the browser will send a real request to the server. This enables cross source requests.

After understanding CORS, let's build a simple spring MVC service and further understand how spring MVC configures CORS.

2. Build spring MVC environment

Open http://start.spring.io/ , add a web dependency, select generate project, and download the zip file to get a spring boot demo.

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.
THE END
分享
二维码
< <上一篇
下一篇>>