Spring CORS example using @CrossOrigin – Spring Boot

Spring CORS example using @CrossOrigin – Spring Boot

Cross-Origin-Resource-Sharing (CORS) is a W3C specification which defines how a browser should be allowed using script to access different origin than the origin it has been served. With CORS, we can specify what kind of cross domain requests are authorized in a flexible way, instead of using some less secured and less powerful hacks like IFRAME or JSONP. In this tutorial, we’re gonna look at way to create a Spring Boot REST service with Spring CORS integration using @CrossOrigin annotation.

Related Articles:
Spring Boot – CORS Support using Java Config
Spring Boot – CORS Support using XML Config
AngularJs CrossSite HTTP Requests to SpringBoot RestAPIs

I. CORS Configuration using @CrossOrigin Annotation

1. On @RequestMapping-Annotated Method

In the code above, CORS is not enabled for getCart() method. getCustomers() and getData() have different CORS configuration.

origins: specifies the URI that can be accessed by resource. “*” means that all origins are allowed. If undefined, all origins are allowed.

allowCredentials: defines the value for Access-Control-Allow-Credentials response header. If value is true, response to the request can be exposed to the page. The credentials are cookies, authorization headers or TLS client certificates. The default value is true.

maxAge: defines maximum age (in seconds) for cache to be alive for a pre-flight request. By default, its value is 1800 seconds.

We also have some attributes:
methods: specifies methods (GET, POST,…) to allow when accessing the resource. If we don’t use this attribute, it takes the value of @RequestMapping method by default. If we specify methods attribute value in @CrossOrigin annotation, default method will be overridden.

allowedHeaders: defines the values for Access-Control-Allow-Headers response header. We don’t need to list headers if it is one of Cache-Control, Content-Language, Expires, Last-Modified, or Pragma. By default all requested headers are allowed.

exposedHeaders: values for Access-Control-Expose-Headers response header. Server uses it to tell the browser about its whitelist headers. By default, an empty exposed header list is used.

2. On Controller

If we use @CrossOrigin annotation on the Controller, all CORS Configuration of methods inside will be enabled.

3. On Both

Spring will combine attributes from both to merge CORS configuration:


II. Practice

1. Technology

– Java 1.8
– Maven 3.3.9
– Spring Tool Suite – Version 3.8.4.RELEASE
– Spring Boot: 1.5.4.RELEASE

2. Project Overview


Dependency for Spring Boot Starter Web in pom.xml.

3. Step by step
3.1 Create Spring Boot project

Using Spring Tool Suite/Eclipse to create Project and add Dependencies to pom.xml file:

3.2 Create Data Model Classes

3.3 Create Service

3.4 Create Controller

3.5 Run & Check Result

– Config maven build:
clean install
– Run project with mode Spring Boot App and port 8080.
– Create Client Application (stored in folder webapps/Cors of Apache Tomcat):

– Deploy client project on Tomcat with port 8484:

Send Request on Browser:

Clear Browser Cache, then modify data.js file by changing url to:

Send Request on Browser:
Result: Browser shows nothing.

– Deploy client project on Tomcat with port 9000:

Clear Browser Cache, then send Request on Browser:

III. Source Code


By grokonez | June 12, 2017.

Last updated on May 1, 2019.

Related Posts

Got Something To Say:

Your email address will not be published. Required fields are marked *