堆栈内存溢出
  简体   繁体   English

OPTIONS请求中奇怪的“允许”标头发送到启用了CORS的Spring Boot端点

[英]Strange “Allow” header in OPTIONS request to CORS-enabled spring boot endpoint

 原文  2019-07-24 16:53:05       java/ spring-boot

问题描述

To test this, one can use the sample code from https://spring.io/guides/gs/rest-service-cors/ with no changes. 要对此进行测试,可以使用https://spring.io/guides/gs/rest-service-cors/中的示例代码,而无需进行任何更改。

Here's the output from an OPTIONS request without any CORS headers: 这是没有任何CORS标头的OPTIONS请求的输出: 

$ curl -X OPTIONS -i http://localhost:8080/greeting                                                                                                              HTTP/1.1 200 
Allow: GET,HEAD,OPTIONS
Content-Length: 0
Date: Wed, 24 Jul 2019 16:45:25 GMT

As expected, the Allow header is correct, as the method is annotated with @GetMapping . 正如预期的那样, Allow标头是正确的,因为该方法使用@GetMapping注释。

But now let's simulate a CORS preflight OPTIONS request (which is not really necessary for a GET, but that's not the point), adding Origin and Access-Control-Request-Method : 但是,现在让我们模拟一个CORS预检OPTIONS请求(对于GET来说并不是必须的,但这不是重点),添加OriginAccess-Control-Request-Method 

$ curl -X OPTIONS -H'Origin: http://localhost:9000' -H'Access-Control-Request-Method: GET' -i http://localhost:8080/greeting
HTTP/1.1 200 
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: http://localhost:9000
Access-Control-Allow-Methods: GET
Access-Control-Max-Age: 1800
Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS, PATCH
Content-Length: 0
Date: Wed, 24 Jul 2019 16:48:36 GMT

The CORS headers have been correctly included, but note that Allow now lists more methods than actually allowed (and which are indeed not allowed, with or without CORS; a 405 "Method not allowed" error is returned if one tries to POST to that URL). 已正确包含CORS标头,但请注意,“ Allow现在列出了比实际允许的方法更多的方法(有或没有CORS的情况下实际上是不允许的;如果尝试将其发布到该URL,则会返回405“方法不允许”错误)。

Even more strange, Access-Control-Allow-Methods correctly lists only GET . 更奇怪的是, Access-Control-Allow-Methods正确地仅列出GET

Am I misunderstanding some detail about how CORS should work, or is this a bug in Spring Boot? 我是否误解了有关CORS应该如何工作的某些细节,或者这是Spring Boot中的错误?

2 个解决方案

解决方案1
 0  2019-07-24 19:50:44

Allow 允许

The Allow header lists the set of methods support by a resource. Allow标头列出了资源支持的方法集。

Access-Control-Allow-Methods 访问控制允许方法

The Access-Control-Allow-Methods response header specifies the method or methods allowed when accessing the resource in response to a preflight request. Access-Control-Allow-Methods响应标头指定响应预检请求而访问资源时允许使用的一种或多种方法。

Allow just states what methods that are in general supported by the spring boot application. 允许说明Spring Boot应用程序通常支持的方法。 While Access-Control-Allow-Methods tells you what methods that you have access to. Access-Control-Allow-Methods会告诉您可以访问哪些方法。

解决方案2
 0  2019-07-24 20:16:27

As @Thomas stated allow is a Resource response header So if you look closely at the @RequestMapping properties you will see method : RequestMethod[] https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/bind/annotation/RequestMapping.html#method-- 正如@Thomas所说的allow是一个资源响应标头,因此,如果您仔细查看@RequestMapping属性,您将看到method : RequestMethod[] https://docs.spring.io/spring/docs/current/javadoc-api/org/ springframework / web / bind / annotation / RequestMapping.html#method--

If you go to RequestMethod docs you will find the following : 如果您转到RequestMethod文档,则会发现以下内容:

Java 5 enumeration of HTTP request methods. Java 5 HTTP请求方法的枚举。 Intended for use with the RequestMapping.method() attribute of the RequestMapping annotation. 旨在与RequestMapping批注的RequestMapping.method()属性一起使用。 Note that, by default, DispatcherServlet supports GET, HEAD, POST, PUT, PATCH and DELETE only. 请注意,默认情况下,DispatcherServlet仅支持GET,HEAD,POST,PUT,PATCH和DELETE。 DispatcherServlet will process TRACE and OPTIONS with the default HttpServlet behavior unless explicitly told to dispatch those request types as well: Check out the "dispatchOptionsRequest" and "dispatchTraceRequest" properties, switching them to "true" if necessary. DispatcherServlet将使用默认的HttpServlet行为处理TRACE和OPTIONS,除非也明确告知也要调度那些请求类型:检出“ dispatchOptionsRequest”和“ dispatchTraceRequest”属性,并在必要时将其切换为“ true”。

So by default @RequestMapping will allow [GET, HEAD, POST, PUT, PATCH , DELETE] If you want to restrict some resource or method for specific methods you can use 因此,默认情况下,@ @RequestMapping将允许[GET,HEAD,POST,PUT,PATCH,DELETE]如果要限制某些资源或方法用于特定方法,则可以使用 

@RequestMapping(method = {RequestMethod.GET,RequestMethod.POST})

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 未为 OPTIONS/DELETE 正确启用 Spring Boot Data Rest + CORS - Spring Boot Data Rest + CORS not being enabled properly for OPTIONS/DELETE 使用Spring Boot和Zuul进行CORS预检请求的Host vs Origin标头 - Host vs Origin header for CORS preflight request with Spring Boot & Zuul 弹簧启动的CORS不在响应头中 - CORS for spring boot not in response header 不存在“Access-Control-Allow-Origin”header (CORS) - Spring Boot (Spring security) 微服务 + Vue.js - No 'Access-Control-Allow-Origin' header is present (CORS) - Spring Boot (Spring security) Microservices + Vue.js CORS 策略:请求的资源上不存在“访问控制允许来源”header Spring 引导 Rest API & VUE - CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource Spring Boot Rest API & VUE GAE(Spring Boot应用程序)CORS检查未返回Access-Control-Allow-Origin标头 - GAE(Spring Boot App) CORS check not returning Access-Control-Allow-Origin header 原因:缺少 CORS 标头“Access-Control-Allow-Origin”/Spring Boot - Reason: CORS header ‘Access-Control-Allow-Origin’ missing / Spring Boot CORS 策略:请求的资源 Spring Boot Rest API 上不存在“Access-Control-Allow-Origin”标头 - CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource Spring Boot Rest API Spring 网关请求被 CORS 阻止(无 Acces0Control-Allow-Orgin 标头) - Spring Gateway Request blocked by CORS (No Acces0Control-Allow-Orgin header) 使用Spring Framework为OPTIONS请求启用CORS - Enable CORS for OPTIONS request using Spring Framework
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM