如果 Spring Boot 项目引入 Spring Security 组件,单独声明 CorsConfigurationSource Bean 并不起作用,这是由于 CORS 预检请求不含 Session ID 而请求首先被 Spring Security 处理并拒绝导致的。
因此,必须明确地配置 Spring Security 跨域参数以便正常处理跨域请求,下面是一个配置示例:
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// cors 默认读取名为 corsConfigurationSource Bean 的配置
.cors().and()
...
//其它配置
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
configuration.setAllowedMethods(Arrays.asList("GET","POST"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}