What is CORS, what is preflight, how do you resolve it in Spring Boot?
WebMvcConfigurer CorsRegistry
后来 HTML5 支持了 CORS 协议。CORS 是一个 W3C 标准,全称是”跨域资源共享”(Cross-origin resource sharing),允许浏览器向跨源服务器,发出 XMLHttpRequest 请求,从而克服了 AJAX 只能同源使用的限制。它通过服务器增加一个特殊的 Header[Access-Control-Allow-Origin]来告诉客户端跨域的限制,如果浏览器支持 CORS、并且判断 Origin 通过的话,就会允许 XMLHttpRequest 发起跨域请求。
前端使用了 CORS 协议,就需要后端设置支持非同源的请求,Spring Boot 设置支持非同源的请求有两种方式。
第一,配置 CorsFilter。
@Configuration
public class GlobalCorsConfig {
@Bean
public CorsFilter corsFilter() {
CorsConfiguration config = new CorsConfiguration();
config.addAllowedOrigin("*");
config.setAllowCredentials(true);
config.addAllowedMethod("*");
config.addAllowedHeader("*");
config.addExposedHeader("*");
UrlBasedCorsConfigurationSource configSource = new UrlBasedCorsConfigurationSource();
configSource.registerCorsConfiguration("/**", config);
return new CorsFilter(configSource);
}
}
需要配置上述的一段代码。第二种方式稍微简单一些。
第二,在启动类上添加:
public class Application extends WebMvcConfigurerAdapter {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowCredentials(true)
.allowedHeaders("*")
.allowedOrigins("*")
.allowedMethods("*");
}
}
What is CSRF
How do you know a Spring Boot how many endpoints, and the endpoint details like path
How do you share session between different servers?
Microservice, UnknowHostException?
Can you explain the differences between @RestController and @Controller annotations in Spring Boot?
How do you implement security in a Spring Boot application?
How do you create and use Java annotations, and what are some common use cases for annotations?
Java annotations are metadata that provide additional information about the code to the compiler, runtime or other tools. They can be used to add information, enable/disable code generation or check code correctness.
Here are the steps to create and use Java annotations:
What are the different operators available in RxJS, and how do you use them?
What is the difference between the mergeMap and switchMap operators in RxJS?
How do you use the retry operator in RxJS to retry an HTTP request?
How do you use the combineLatest operator in RxJS to combine multiple observables?
Can you explain the role of access tokens in OAuth 2.0?
What is saml
In summary, while OAuth 2.0 is primarily designed for delegated authorization scenarios, SAML is designed for SSO scenarios.
Token type:
Access token/ID token/Refresh token/Reference token.
Access tokens can come in two flavours - self-contained or reference.
A JWT token would be a self-contained access token - it’s a protected data structure with claims and an expiration. Once an API has learned about the key material, it can validate self-contained tokens without needing to communicate with the issuer. This makes JWTs hard to revoke. They will stay valid until they expire.
When using reference tokens - IdentityServer will store the contents of the token in a data store and will only issue a unique identifier for this token back to the client. The API receiving this reference must then open a back-channel communication to IdentityServer to validate the token.
Reference tokens (sometimes also called opaque tokens) on the other hand are just identifiers for a token stored on the token service. The token service stores the contents of the token in some data store, associates it with an infeasible-to-guess id and passes the id back to the client.
An ID token is encoded as a JSON Web Token (JWT).
An ID token is an artifact that proves that the user has been authenticated. It was introduced by OpenID Connect (OIDC).
In the OAuth 2 context, the access token allows a client application to access a specific resource to perform specific actions on behalf of the user. That is what is known as a delegated authorization scenario.
OAuth 2 core specifications say nothing about the access token format. It can be a string in any format. A common format used for access tokens is JWT.
An access token is a short-lived token that is used to access protected resources on behalf of an authenticated user.