CORS with Spring Boot - restrict GET requests to certain domains
I am using Spring Boot and would like to restrict HTTP GET requests only from certain domains. For example, I would like to accept requests only from a list of predefined domains (e.g. https://www.frontend.com, https://www.test-frontend.com). How could I implement such a functionality?
I expected to face CORS issues, but theses do not apply for GET requests. Any ideas?
spring-boot get cors
asked Nov 14 '18 at 21:09
Stamatis RapanakisStamatis Rapanakis
7916
add a comment |
I am using Spring Boot and would like to restrict HTTP GET requests only from certain domains. For example, I would like to accept requests only from a list of predefined domains (e.g. https://www.frontend.com, https://www.test-frontend.com). How could I implement such a functionality?
I expected to face CORS issues, but theses do not apply for GET requests. Any ideas?
spring-boot get cors
asked Nov 14 '18 at 21:09
Stamatis RapanakisStamatis Rapanakis
7916
You can’t use CORS configuration to block requests from non-browser clients. See the answers at stackoverflow.com/questions/42708660/… and stackoverflow.com/questions/43432743/…
– sideshowbarker
Nov 14 '18 at 22:44
Thanks, that was the problem.
– Stamatis Rapanakis
Nov 15 '18 at 8:30
add a comment |
I am using Spring Boot and would like to restrict HTTP GET requests only from certain domains. For example, I would like to accept requests only from a list of predefined domains (e.g. https://www.frontend.com, https://www.test-frontend.com). How could I implement such a functionality?
I expected to face CORS issues, but theses do not apply for GET requests. Any ideas?
spring-boot get cors
asked Nov 14 '18 at 21:09
Stamatis RapanakisStamatis Rapanakis
7916
I am using Spring Boot and would like to restrict HTTP GET requests only from certain domains. For example, I would like to accept requests only from a list of predefined domains (e.g. https://www.frontend.com, https://www.test-frontend.com). How could I implement such a functionality?
I expected to face CORS issues, but theses do not apply for GET requests. Any ideas?
spring-boot get cors
spring-boot get cors
asked Nov 14 '18 at 21:09
Stamatis RapanakisStamatis Rapanakis
7916
asked Nov 14 '18 at 21:09
Stamatis RapanakisStamatis Rapanakis
7916
asked Nov 14 '18 at 21:09
Stamatis RapanakisStamatis Rapanakis
7916
asked Nov 14 '18 at 21:09
Stamatis RapanakisStamatis Rapanakis
7916
asked Nov 14 '18 at 21:09
Stamatis RapanakisStamatis Rapanakis
7916
7916
You can’t use CORS configuration to block requests from non-browser clients. See the answers at stackoverflow.com/questions/42708660/… and stackoverflow.com/questions/43432743/…
– sideshowbarker
Nov 14 '18 at 22:44
Thanks, that was the problem.
– Stamatis Rapanakis
Nov 15 '18 at 8:30
add a comment |
You can’t use CORS configuration to block requests from non-browser clients. See the answers at stackoverflow.com/questions/42708660/… and stackoverflow.com/questions/43432743/…
– sideshowbarker
Nov 14 '18 at 22:44
Thanks, that was the problem.
– Stamatis Rapanakis
Nov 15 '18 at 8:30
You can’t use CORS configuration to block requests from non-browser clients. See the answers at stackoverflow.com/questions/42708660/… and stackoverflow.com/questions/43432743/…
– sideshowbarker
Nov 14 '18 at 22:44
You can’t use CORS configuration to block requests from non-browser clients. See the answers at stackoverflow.com/questions/42708660/… and stackoverflow.com/questions/43432743/…
– sideshowbarker
Nov 14 '18 at 22:44
Thanks, that was the problem.
– Stamatis Rapanakis
Nov 15 '18 at 8:30
Thanks, that was the problem.
– Stamatis Rapanakis
Nov 15 '18 at 8:30
add a comment |
2 Answers
2
active
oldest
votes
public void addCorsMappings(CorsRegistry registry)
registry.addMapping("/api/**")
.allowedOrigins("https://www.frontend.com", "https://www.test-frontend.com")
.allowedMethods("GET");
Reference: https://docs.spring.io/spring/docs/4.2.x/spring-framework-reference/html/cors.html
answered Nov 14 '18 at 21:20
user2908623user2908623
476
add a comment |
First .allowedMethods use for allow methods so if you don't want to allow "GET" then put all others methods but do not put GET method, like below:
.allowedMethods("PUT", "DELETE", "PATCH")
and second you can not CORS by non-webapp clients like curl or Postman, any non web app client.
edited 2 days ago
halfer
14.6k758113
answered Nov 15 '18 at 3:05
kj007kj007
2,74631327
I had a similar configuration. I was using Postman, that was the problem.
– Stamatis Rapanakis
Nov 15 '18 at 8:29
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53308754%2fcors-with-spring-boot-restrict-get-requests-to-certain-domains%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
public void addCorsMappings(CorsRegistry registry)
registry.addMapping("/api/**")
.allowedOrigins("https://www.frontend.com", "https://www.test-frontend.com")
.allowedMethods("GET");
Reference: https://docs.spring.io/spring/docs/4.2.x/spring-framework-reference/html/cors.html
answered Nov 14 '18 at 21:20
user2908623user2908623
476
add a comment |
public void addCorsMappings(CorsRegistry registry)
registry.addMapping("/api/**")
.allowedOrigins("https://www.frontend.com", "https://www.test-frontend.com")
.allowedMethods("GET");
Reference: https://docs.spring.io/spring/docs/4.2.x/spring-framework-reference/html/cors.html
answered Nov 14 '18 at 21:20
user2908623user2908623
476
add a comment |
public void addCorsMappings(CorsRegistry registry)
registry.addMapping("/api/**")
.allowedOrigins("https://www.frontend.com", "https://www.test-frontend.com")
.allowedMethods("GET");
Reference: https://docs.spring.io/spring/docs/4.2.x/spring-framework-reference/html/cors.html
answered Nov 14 '18 at 21:20
user2908623user2908623
476
public void addCorsMappings(CorsRegistry registry)
registry.addMapping("/api/**")
.allowedOrigins("https://www.frontend.com", "https://www.test-frontend.com")
.allowedMethods("GET");
Reference: https://docs.spring.io/spring/docs/4.2.x/spring-framework-reference/html/cors.html
answered Nov 14 '18 at 21:20
user2908623user2908623
476
answered Nov 14 '18 at 21:20
user2908623user2908623
476
answered Nov 14 '18 at 21:20
user2908623user2908623
476
answered Nov 14 '18 at 21:20
user2908623user2908623
476
476
add a comment |
add a comment |
First .allowedMethods use for allow methods so if you don't want to allow "GET" then put all others methods but do not put GET method, like below:
.allowedMethods("PUT", "DELETE", "PATCH")
and second you can not CORS by non-webapp clients like curl or Postman, any non web app client.
edited 2 days ago
halfer
14.6k758113
answered Nov 15 '18 at 3:05
kj007kj007
2,74631327
I had a similar configuration. I was using Postman, that was the problem.
– Stamatis Rapanakis
Nov 15 '18 at 8:29
add a comment |
First .allowedMethods use for allow methods so if you don't want to allow "GET" then put all others methods but do not put GET method, like below:
.allowedMethods("PUT", "DELETE", "PATCH")
and second you can not CORS by non-webapp clients like curl or Postman, any non web app client.
edited 2 days ago
halfer
14.6k758113
answered Nov 15 '18 at 3:05
kj007kj007
2,74631327
I had a similar configuration. I was using Postman, that was the problem.
– Stamatis Rapanakis
Nov 15 '18 at 8:29
add a comment |
First .allowedMethods use for allow methods so if you don't want to allow "GET" then put all others methods but do not put GET method, like below:
.allowedMethods("PUT", "DELETE", "PATCH")
and second you can not CORS by non-webapp clients like curl or Postman, any non web app client.
edited 2 days ago
halfer
14.6k758113
answered Nov 15 '18 at 3:05
kj007kj007
2,74631327
First .allowedMethods use for allow methods so if you don't want to allow "GET" then put all others methods but do not put GET method, like below:
.allowedMethods("PUT", "DELETE", "PATCH")
and second you can not CORS by non-webapp clients like curl or Postman, any non web app client.
edited 2 days ago
halfer
14.6k758113
answered Nov 15 '18 at 3:05
kj007kj007
2,74631327
edited 2 days ago
halfer
14.6k758113
edited 2 days ago
halfer
14.6k758113
edited 2 days ago
halfer
14.6k758113
14.6k758113
answered Nov 15 '18 at 3:05
kj007kj007
2,74631327
answered Nov 15 '18 at 3:05
kj007kj007
2,74631327
answered Nov 15 '18 at 3:05
kj007kj007
2,74631327
2,74631327
I had a similar configuration. I was using Postman, that was the problem.
– Stamatis Rapanakis
Nov 15 '18 at 8:29
add a comment |
I had a similar configuration. I was using Postman, that was the problem.
– Stamatis Rapanakis
Nov 15 '18 at 8:29
I had a similar configuration. I was using Postman, that was the problem.
– Stamatis Rapanakis
Nov 15 '18 at 8:29
I had a similar configuration. I was using Postman, that was the problem.
– Stamatis Rapanakis
Nov 15 '18 at 8:29
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53308754%2fcors-with-spring-boot-restrict-get-requests-to-certain-domains%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
You can’t use CORS configuration to block requests from non-browser clients. See the answers at stackoverflow.com/questions/42708660/… and stackoverflow.com/questions/43432743/…
– sideshowbarker
Nov 14 '18 at 22:44
Thanks, that was the problem.
– Stamatis Rapanakis
Nov 15 '18 at 8:30