[英]Strange “Allow” header in OPTIONS request to CORS-enabled spring boot endpoint
To test this, one can use the sample code from https://spring.io/guides/gs/rest-service-cors/ with no changes. 要对此进行测试,可以使用https://spring.io/guides/gs/rest-service-cors/中的示例代码,而无需进行任何更改。
Here's the output from an OPTIONS request without any CORS headers: 这是没有任何CORS标头的OPTIONS请求的输出:
$ curl -X OPTIONS -i http://localhost:8080/greeting HTTP/1.1 200
Allow: GET,HEAD,OPTIONS
Content-Length: 0
Date: Wed, 24 Jul 2019 16:45:25 GMT
As expected, the Allow
header is correct, as the method is annotated with @GetMapping
. 正如预期的那样,
Allow
标头是正确的,因为该方法使用@GetMapping
注释。
But now let's simulate a CORS preflight OPTIONS request (which is not really necessary for a GET, but that's not the point), adding Origin
and Access-Control-Request-Method
: 但是,现在让我们模拟一个CORS预检OPTIONS请求(对于GET来说并不是必须的,但这不是重点),添加
Origin
和Access-Control-Request-Method
:
$ curl -X OPTIONS -H'Origin: http://localhost:9000' -H'Access-Control-Request-Method: GET' -i http://localhost:8080/greeting
HTTP/1.1 200
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: http://localhost:9000
Access-Control-Allow-Methods: GET
Access-Control-Max-Age: 1800
Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS, PATCH
Content-Length: 0
Date: Wed, 24 Jul 2019 16:48:36 GMT
The CORS headers have been correctly included, but note that Allow
now lists more methods than actually allowed (and which are indeed not allowed, with or without CORS; a 405 "Method not allowed" error is returned if one tries to POST to that URL). 已正确包含CORS标头,但请注意,“
Allow
现在列出了比实际允许的方法更多的方法(有或没有CORS的情况下实际上是不允许的;如果尝试将其发布到该URL,则会返回405“方法不允许”错误)。
Even more strange, Access-Control-Allow-Methods
correctly lists only GET
. 更奇怪的是,
Access-Control-Allow-Methods
正确地仅列出GET
。
Am I misunderstanding some detail about how CORS should work, or is this a bug in Spring Boot? 我是否误解了有关CORS应该如何工作的某些细节,或者这是Spring Boot中的错误?
The Allow header lists the set of methods support by a resource.
Allow标头列出了资源支持的方法集。
Access-Control-Allow-Methods 访问控制允许方法
The Access-Control-Allow-Methods response header specifies the method or methods allowed when accessing the resource in response to a preflight request.
Access-Control-Allow-Methods响应标头指定响应预检请求而访问资源时允许使用的一种或多种方法。
Allow just states what methods that are in general supported by the spring boot application. 仅允许说明Spring Boot应用程序通常支持的方法。 While Access-Control-Allow-Methods tells you what methods that you have access to.
而Access-Control-Allow-Methods会告诉您可以访问哪些方法。
As @Thomas stated allow is a Resource response header So if you look closely at the @RequestMapping
properties you will see method : RequestMethod[]
https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/bind/annotation/RequestMapping.html#method-- 正如@Thomas所说的allow是一个资源响应标头,因此,如果您仔细查看
@RequestMapping
属性,您将看到method : RequestMethod[]
https://docs.spring.io/spring/docs/current/javadoc-api/org/ springframework / web / bind / annotation / RequestMapping.html#method--
If you go to RequestMethod docs you will find the following : 如果您转到RequestMethod文档,则会发现以下内容:
Java 5 enumeration of HTTP request methods.
Java 5 HTTP请求方法的枚举。 Intended for use with the RequestMapping.method() attribute of the RequestMapping annotation.
旨在与RequestMapping批注的RequestMapping.method()属性一起使用。 Note that, by default, DispatcherServlet supports GET, HEAD, POST, PUT, PATCH and DELETE only.
请注意,默认情况下,DispatcherServlet仅支持GET,HEAD,POST,PUT,PATCH和DELETE。 DispatcherServlet will process TRACE and OPTIONS with the default HttpServlet behavior unless explicitly told to dispatch those request types as well: Check out the "dispatchOptionsRequest" and "dispatchTraceRequest" properties, switching them to "true" if necessary.
DispatcherServlet将使用默认的HttpServlet行为处理TRACE和OPTIONS,除非也明确告知也要调度那些请求类型:检出“ dispatchOptionsRequest”和“ dispatchTraceRequest”属性,并在必要时将其切换为“ true”。
So by default @RequestMapping
will allow [GET, HEAD, POST, PUT, PATCH , DELETE] If you want to restrict some resource or method for specific methods you can use 因此,默认情况下,@
@RequestMapping
将允许[GET,HEAD,POST,PUT,PATCH,DELETE]如果要限制某些资源或方法用于特定方法,则可以使用
@RequestMapping(method = {RequestMethod.GET,RequestMethod.POST})
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.