spring引导科尔斯”allowcredentials=false'不起作用

h9a6wy2h  于 2021-08-25  发布在  Java
关注(0)|答案(1)|浏览(400)

我在spring boot(2.4.4)应用程序中有了下一个cors配置:

@Configuration
public class CORSConfiguration {
    @Bean
    public WebMvcConfigurer cors() {
        return new WebMvcConfigurer() {
            @Override
            public void addCorsMappings(CorsRegistry registry) {
                registry.addMapping("/**").allowedOrigins("*");
            }
        };
    }
}

在某个时间点,我开始出现下一个异常:

java.lang.IllegalArgumentException: When allowCredentials is true, allowedOrigins cannot contain the special value "*" since that cannot be set on the "Access-Control-Allow-Origin" response header. To allow credentials to a set of origins, list them explicitly or consider using "allowedOriginPatterns" instead.

之后,我根据答案修复了我的配置:

registry.addMapping("/**").allowedOriginPatterns("*");

在那之后,cors的问题就消失了。据我所知,我不能使用 allowedOrigins("*") 具有 allowCredentials(true) . 好的,很清楚。但我没有补充 allowCredentials(true) 在我的代码中。这可能是默认值(?)。
然后我决定用下一种方式编写配置:

registry.addMapping("/**").allowCredentials(false).allowedOrigins("*");

cors和异常的问题又回来了。为什么要装Spring allowCredentials(true) 尽管我将以下值指定为 allowCredentials(false) . 我怎么了?或者为什么spring会覆盖 allowCredentials 在某些情况下?
我失败的cors请求
请求标头:

OPTIONS /list/1054/participant-list/info HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Access-Control-Request-Method: GET
Access-Control-Request-Headers: content-type
Referer: http://localhost:13000/
Origin: http://localhost:13000
Connection: keep-alive

响应标题:

HTTP/1.1 500 
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,HEAD,POST
Access-Control-Allow-Headers: content-type
Access-Control-Max-Age: 1800
Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
Content-Length: 0
Date: Tue, 06 Jul 2021 14:15:16 GMT
Connection: close
csbfibhn

csbfibhn1#

尝试此操作,确保添加客户端的正确来源,并将所需的允许方法放在那里。我只是随便放在那里

public void addCorsMappings(CorsRegistry registry) {
         registry.addMapping("/**")
                .allowedOrigins("http://localhost:13000")              
     .allowedMethods("HEAD","GET","POST","PUT","DELETE","PATCH").allowedHeaders("*");       
}

相关问题