Introduction to the

The Spring-Web module provides a number of very useful filters

HTTP PUT FORM

Browsers can only submit FORM data through GET or POST, but non-browser clients can use PUT or PATCH. The Servlet API is only POST method provides the ServletRequest. GetParameter * () method for information on the FORM. The Spring-Web module provides HttpPutFormContentFilter to check whether the Content-type of the PUT or PATCH method is Application/X-www-form-urlencoded. If so, Is read from the request the weight attribute and encapsulated into the ServletRequest, so that in the future through the ServletRequest. The getParameter () to obtain the FORM data.

Redirect head

Since requests go through proxies such as load balancers, host, port, and scheme may be different when creating links to resource files returned to the client. RFC 7239 defines the forwarder’s HTTP header, Forwarded, to provide information about the original request. There are also some other nonstandard HTTP headers, such as X-Forwarded-host, X-Forwarded-port, and X-Forwarded-Proto. ForwardedHeaderFilter gets the ForwardedHeaderFilter from each forwarded-host, X-Forwarded-host, X-Forwarded-port, or X-Forwarded-Proto. It splits the request to override host, port, and Scheme, also hiding the jump information for future processing. Note that, as explained in section 8 of RFC 7239, there are security issues when using redirection headers. There is no way to tell if a challenge is credible at the application layer. Therefore, the upstream proxy of the network must be configured correctly to filter out illegal hops. If the application does not use an agent, then the ForwardedHeaderFilter is not required.

Shallow ETag

The ShallowEtagHeaderFilter provides a filter for ETG, which is explained in more detail in View techniques.

CORS

Spring MVC provides detailed support for CORS through the Controller annotation. CorsFilter must be ranked before Spring Sercurity filters when used with Spring Sercurity.

About the CORS

For security reasons, the browser forbids AJAX from accessing resources outside the current domain. For example, if your bank account is clocked on one TAB, another evil.com opens on another TAB. The evil.com script cannot use your bank account information to access the bank API. Cross-origin Resource Sharing (CORS) is a W3C specification implemented by many browsers. It specifies which requests are allowed across domains, rather than through the weakly secure and functionally-limited IFRAME and JSONP. HandlerMapping provides built-in support for CORS. After successfully mapping the request to the processor, HandlerMapping checks the CORS configuration for the current request. Precheck requests are processed directly, and simple and actual requests are checked for CORS requests, validated, and set to return headers. To enable cross-domain requests (for example, the Origin header and the host of the request are inconsistent), CORS needs to be explicitly configured. If the configuration of CORS is not found, the precheck request is rejected. Simple and actual requests do not add response headers, so the browser does not get the information. Each HandlerMapping can be configured with a separate CorsConfiguration based on the URL. Applications typically configure single, global CORS through Java Config or Xml namespaces. Global CORS configurations at the HandlerMapping level can be merged with handler level CORS configurations. For example, annotated controllers can be configured across domains using class or method-level annotations @crossorigin. The @crossorigin annotation enables cross-domain checking of requests at the Controller layer, for example:

@RestController @RequestMapping("/account") public class AccountController { @CrossOrigin @GetMapping("/{id}") public Account retrieve(@PathVariable Long id) { // ... } @DeleteMapping("/{id}") public void remove(@PathVariable Long id) { // ... }}Copy the code

By default, @crossorigin does the following:

  • All domains are allowed
  • Allow all headers
  • Methods that allow controller mapping
  • allowedCredentialsOff by default
  • max-ageDefault 30 minutes@CrossOriginClass levels are also supported:
@CrossOrigin(origins = "http://domain2.com", maxAge = 3600) @RestController @RequestMapping("/account") public class AccountController { @GetMapping("/{id}") public Account retrieve(@PathVariable Long id) { // ... } @DeleteMapping("/{id}") public void remove(@PathVariable Long id) { // ... }}Copy the code

@crossorigin can be used in both classes and methods:

@CrossOrigin(maxAge = 3600) @RestController @RequestMapping("/account") public class AccountController { @CrossOrigin("http://domain2.com") @GetMapping("/{id}") public Account retrieve(@PathVariable Long id) { // ... } @DeleteMapping("/{id}") public void remove(@PathVariable Long id) { // ... }}Copy the code

This is done by defining the global CORS configuration. The global CORS configuration can be configured through Java Config or XML’s XNM namespace. Global CORS configuration by default:

  • All domains are allowed
  • All headers are allowed
  • Allow GET,HEAD, and POST methods
  • allowedCredentialsOff by default
  • max-ageThe default time is 30 minutes to configure CORS using Java
@Configuration @EnableWebMvc public class WebConfig implements WebMvcConfigurer { @Override public void addCorsMappings(CorsRegistry registry) { registry.addMapping("/api/**") .allowedOrigins("http://domain2.com") .allowedMethods("PUT", "DELETE") .allowedHeaders("header1", "header2", "header3") .exposedHeaders("header1", "header2") .allowCredentials(true).maxAge(3600); // Add more mappings... }}Copy the code

Configure CORS using XML

<mvc:cors>

    <mvc:mapping path="/api/**"
        allowed-origins="http://domain1.com, http://domain2.com"
        allowed-methods="GET, PUT"
        allowed-headers="header1, header2, header3"
        exposed-headers="header1, header2" allow-credentials="true"
        max-age="123" />

    <mvc:mapping path="/resources/**"
        allowed-origins="http://domain1.com" />

</mvc:cors>Copy the code

You can also configure CORS using CorsFilter.

CorsConfiguration config = new CorsConfiguration();

// Possibly...
// config.applyPermitDefaultValues()

config.setAllowCredentials(true);
config.addAllowedOrigin("http://domain1.com");
config.addAllowedHeader("");
config.addAllowedMethod("");

UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", config);

CorsFilter filter = new CorsFilter(source);Copy the code