CORS (Cross-Origin Resource Sharing) — browser chặn request từ origin khác. Spring Boot cung cấp nhiều cách config.
Cách 1 — @CrossOrigin trên controller (đơn giản):
@RestController
@CrossOrigin(origins = "https://app.example.com")
class UserController {
@GetMapping("/api/users")
List<User> list() { ... }
}Cách 2 — Global config (recommended):
@Bean
WebMvcConfigurer corsConfig() {
return new WebMvcConfigurer() {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/api/**")
.allowedOrigins(
"https://app.example.com",
"http://localhost:3000" // dev
)
.allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
.allowedHeaders("*")
.allowCredentials(true) // cookies/auth headers
.maxAge(3600); // preflight cache
}
};
}Cách 3 — Spring Security (khi dùng security):
http.cors(c -> c.configurationSource(request -> {
CorsConfiguration config = new CorsConfiguration();
config.setAllowedOrigins(List.of("https://app.example.com"));
config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE"));
config.setAllowCredentials(true);
return config;
}));Lưu ý: khi dùng Spring Security, CORS phải cấu hình qua SecurityFilterChain (cách 3) — cấu hình WebMvc level bị Security filter chặn trước.
CORS (Cross-Origin Resource Sharing) — browsers block requests from other origins. Spring Boot provides several configuration options.
Option 1 — @CrossOrigin on controller (simple):
@RestController
@CrossOrigin(origins = "https://app.example.com")
class UserController {
@GetMapping("/api/users")
List<User> list() { ... }
}Option 2 — Global config (recommended):
@Bean
WebMvcConfigurer corsConfig() {
return new WebMvcConfigurer() {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/api/**")
.allowedOrigins(
"https://app.example.com",
"http://localhost:3000" // dev
)
.allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
.allowedHeaders("*")
.allowCredentials(true)
.maxAge(3600); // preflight cache
}
};
}Option 3 — Spring Security (when Security is in use):
http.cors(c -> c.configurationSource(request -> {
CorsConfiguration config = new CorsConfiguration();
config.setAllowedOrigins(List.of("https://app.example.com"));
config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE"));
config.setAllowCredentials(true);
return config;
}));Note: when using Spring Security, CORS must be configured via SecurityFilterChain (option 3) — WebMvc-level config is intercepted by the Security filter first.