Cross-domain problem is a very common problem in the project of front and back end separation. For example, the front-end service of codingmore learning website runs under port 8080 and the back-end service runs under port 9002, so the cross-domain problem will occur when the front-end requests the back-end interface.
403 Forbidden Is a Status Code in the HTTP protocol. It means that although the back-end service successfully parses the request, the front-end service does not have the permission to access the resource.
So how do you solve this problem? There are two general ideas:
- The front-end uses Nodejs proxies (Nginx can be used instead in development environments or production environments)
- Or enable cross-domain resource sharing on the backend
First, about cross-domain
Cross-domain is a bit of a sticking plaster for front and back end developers, both in interviews and during development.
The cross-domain problem occurs because the browser’s same-origin policy prevents documents or scripts loaded from the same source from interacting with resources from another source in order to isolate potentially malicious files and defend against malicious attacks.
As mentioned earlier, the front-end server runs under port 8080 and the back-end server runs under port 9002. In this case, the source is different (domain name, protocol, and port). Therefore, when the front-end server of port 8080 requests to directly access the back-end port of port 9002, the access fails.
So what’s the right way to open it? As we mentioned earlier, the front-end uses the Nodejs proxy or the back-end to enable cross-domain resource sharing, so let’s do this one by one.
Nodejs proxy
Before Nodejs, javascripts were typically executed on the user’s browser, but with Node.js, JavaScript can be used for server-side programming as well. Nodejs is a series of built-in modules that allow applications to be executed as separate servers from Web services such as IIS and Apache.
The idea of using Nodejs to solve the cross-domain problem is to create a local virtual server to proxy the front-end requests under port 8080 and receive the server-side responses under port 9002, so that the data interaction between the server and the server will not occur cross-domain problems.
First, configure the Nodejs proxy service
module.exports = { dev: { // Paths assetsSubDirectory: 'static', assetsPublicPath: '/', proxyTable: { '/api': { target: 'http://localhost:9002', // the third-party interface you requested changeOrigin: PathRewrite: {// path override, '^/ API ': {// path override, '^/ API ': "' / / replace the target address of the request, that is to say after you at the time of request http://api.codingmore.top/v2/XXXXX this address directly into/API. }}},}Copy the code
Step 2 configure the front-end access request path
module.exports = merge(prodEnv, {
NODE_ENV: '"development"',
VUE_APP_BASE_API: '"/api"'
// VUE_APP_BASE_API: '"http://localhost:9002"'
})
Copy the code
Step 3: Restart the front-end service
Once again, click “login” button, you can see the requested URL has changed, the original is http://localhost:9002/users/login, now is http://localhost:8080/api/users/login. At the same time, you can see that there is a Remote Address and port 8080, which means that through the Nodejs proxy, the front and back end interaction is under the same source, so there is no cross-domain problem.
At the same time, you can see that the status code returned by the server becomes 200, indicating that the request was successful.
3. Enable cross-domain resource sharing
Cross-domain Resource Sharing, also known as Cross-Origin Resource Sharing, or CORS for short, is an HTTP header based mechanism that enables cross-domain access by allowing a server to identify resources other than its own.
First, enable CORS support
In Spring Boot applications, adding CORS support is unnervably easy. Just add a configuration class.
@Configuration
public class GlobalCorsConfig {
@Bean
public CorsFilter corsFilter(a) {
CorsConfiguration config = new CorsConfiguration();
// Set the domain name you want to allow
config.addAllowedOrigin("http://localhost:8080");
// Allow cross-domain cookie sending
config.setAllowCredentials(true);
// Release all original headers
config.addAllowedHeader("*");
// Allow all request methods to be invoked across domains
config.addAllowedMethod("*");
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/ * *", config);
return newCorsFilter(source); }}Copy the code
Step 2, restart the back-end service and click the Login button again to find that the request is accessible.
In this example, if the access-Control-allow-Origin: http://localhost:8080 message is returned, the back-end interface running under port 9002 can be accessed by the front-end of port 8080.
If you allow all domain names to make cross-domain calls, you only need to change one line of code.
// Allow all domain names to make cross-domain calls
config.addAllowedOriginPattern("*");
// Set the domain name you want to allow
// config.addAllowedOrigin("http://localhost:8080");
Copy the code
They do not trigger CORS prechecks for simple requests like login, so no additional configuration is required on the server side. So what is a simple request?
1) Request method is one of the following three methods:
- HEAD
- GET
- POST
2) HTTP headers do not exceed the following fields:
- Accept
- Accept-Language
- Content-Language
- Last-Event-ID
- Content-type: is limited to three values
Application/X-www-form-urlencoded, multipart/form-data, text/plain
What about non-simple requests that trigger CORS prechecking (for example, the request method is PUT or DELETE, or the content-Type field is application/ JSON, or the request header contains some custom fields)?
Non-simple request Before formal communication, an HTTP query request is added, which is called a “precheck” request. After the precheck request passes, the normal response content is returned.
Take the programming cat’s article management page for example. The page issues a post/ queryPageable pageable query to the back end. The request contains a custom header Authorization, so the browser considers the request to be a non-simple request. Then, an OPTIONS request will be automatically initiated. However, since our Spring Boot project integrates the Security management framework of Spring Security, login authentication is not allowed for OPTIONS requests, resulting in verification failure, and the response data of paginated requests for articles is not returned.
Step 3: Request permission for OPTIONS with the following code.
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry = httpSecurity
.authorizeRequests();
// OPTIONS requests that allow cross-domain requestsregistry.antMatchers(HttpMethod.OPTIONS) .permitAll(); }}Copy the code
Restart the back-end service again, revisit the article list interface, and find the response data.
Non-simple requests must first make a precheck request to the server using the OPTIONS request method to know whether the server will allow the actual request. The use of precheck requests prevents cross-domain requests from having an unexpected impact on the server’s user data.
Let’s briefly summarize the whole process of the precheck request by using two images. The first one is to initiate OPTIONS precheck request:
Chapter 2, Making a formal request:
Source code path
Programming cat back-end source code:
Github.com/itwanger/co…
Programming cat back-end management front-end source code:
Github.com/itwanger/co…
Reference links:
Cross domain: segmentfault.com/a/119000001… CORS:developer.mozilla.org/zh-CN/docs/… Nguyen one: www.ruanyifeng.com/blog/2016/0… Simple request + precheck request: github.com/amandakelak…
This article has been published on GitHub’s 1.6K + Star. It is said that every good Java programmer likes her. It is humorous and easy to understand. The content includes Java foundation, Java concurrent programming, Java virtual machine, Java enterprise development, Java interview and other core knowledge points. Learn Java, look for Java programmers to advance the road ð.
Github.com/itwanger/to…
Star the repository and you have the potential to become a good Java engineer. Click the link below to jump to the Java Programmer’s Path to Progress website and start your fun learning journey.
tobebetterjavaer.com/
Nothing keeps me here but purpose, and though there are roses by the shore, and trees by the shore, and still harbours, I am not tied.