CORS with Spring Boot - restrict GET requests to certain domains










0















I am using Spring Boot and would like to restrict HTTP GET requests only from certain domains. For example, I would like to accept requests only from a list of predefined domains (e.g. https://www.frontend.com, https://www.test-frontend.com). How could I implement such a functionality?



I expected to face CORS issues, but theses do not apply for GET requests. Any ideas?










share|improve this question






















  • You can’t use CORS configuration to block requests from non-browser clients. See the answers at stackoverflow.com/questions/42708660/… and stackoverflow.com/questions/43432743/…

    – sideshowbarker
    Nov 14 '18 at 22:44












  • Thanks, that was the problem.

    – Stamatis Rapanakis
    Nov 15 '18 at 8:30















0















I am using Spring Boot and would like to restrict HTTP GET requests only from certain domains. For example, I would like to accept requests only from a list of predefined domains (e.g. https://www.frontend.com, https://www.test-frontend.com). How could I implement such a functionality?



I expected to face CORS issues, but theses do not apply for GET requests. Any ideas?










share|improve this question






















  • You can’t use CORS configuration to block requests from non-browser clients. See the answers at stackoverflow.com/questions/42708660/… and stackoverflow.com/questions/43432743/…

    – sideshowbarker
    Nov 14 '18 at 22:44












  • Thanks, that was the problem.

    – Stamatis Rapanakis
    Nov 15 '18 at 8:30













0












0








0








I am using Spring Boot and would like to restrict HTTP GET requests only from certain domains. For example, I would like to accept requests only from a list of predefined domains (e.g. https://www.frontend.com, https://www.test-frontend.com). How could I implement such a functionality?



I expected to face CORS issues, but theses do not apply for GET requests. Any ideas?










share|improve this question














I am using Spring Boot and would like to restrict HTTP GET requests only from certain domains. For example, I would like to accept requests only from a list of predefined domains (e.g. https://www.frontend.com, https://www.test-frontend.com). How could I implement such a functionality?



I expected to face CORS issues, but theses do not apply for GET requests. Any ideas?







spring-boot get cors






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 14 '18 at 21:09









Stamatis RapanakisStamatis Rapanakis

7916




7916












  • You can’t use CORS configuration to block requests from non-browser clients. See the answers at stackoverflow.com/questions/42708660/… and stackoverflow.com/questions/43432743/…

    – sideshowbarker
    Nov 14 '18 at 22:44












  • Thanks, that was the problem.

    – Stamatis Rapanakis
    Nov 15 '18 at 8:30

















  • You can’t use CORS configuration to block requests from non-browser clients. See the answers at stackoverflow.com/questions/42708660/… and stackoverflow.com/questions/43432743/…

    – sideshowbarker
    Nov 14 '18 at 22:44












  • Thanks, that was the problem.

    – Stamatis Rapanakis
    Nov 15 '18 at 8:30
















You can’t use CORS configuration to block requests from non-browser clients. See the answers at stackoverflow.com/questions/42708660/… and stackoverflow.com/questions/43432743/…

– sideshowbarker
Nov 14 '18 at 22:44






You can’t use CORS configuration to block requests from non-browser clients. See the answers at stackoverflow.com/questions/42708660/… and stackoverflow.com/questions/43432743/…

– sideshowbarker
Nov 14 '18 at 22:44














Thanks, that was the problem.

– Stamatis Rapanakis
Nov 15 '18 at 8:30





Thanks, that was the problem.

– Stamatis Rapanakis
Nov 15 '18 at 8:30












2 Answers
2






active

oldest

votes


















1














public void addCorsMappings(CorsRegistry registry) 
registry.addMapping("/api/**")
.allowedOrigins("https://www.frontend.com", "https://www.test-frontend.com")
.allowedMethods("GET");



Reference: https://docs.spring.io/spring/docs/4.2.x/spring-framework-reference/html/cors.html






share|improve this answer






























    1














    First .allowedMethods use for allow methods so if you don't want to allow "GET" then put all others methods but do not put GET method, like below:



    .allowedMethods("PUT", "DELETE", "PATCH")


    and second you can not CORS by non-webapp clients like curl or Postman, any non web app client.






    share|improve this answer

























    • I had a similar configuration. I was using Postman, that was the problem.

      – Stamatis Rapanakis
      Nov 15 '18 at 8:29










    Your Answer






    StackExchange.ifUsing("editor", function ()
    StackExchange.using("externalEditor", function ()
    StackExchange.using("snippets", function ()
    StackExchange.snippets.init();
    );
    );
    , "code-snippets");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "1"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53308754%2fcors-with-spring-boot-restrict-get-requests-to-certain-domains%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    public void addCorsMappings(CorsRegistry registry) 
    registry.addMapping("/api/**")
    .allowedOrigins("https://www.frontend.com", "https://www.test-frontend.com")
    .allowedMethods("GET");



    Reference: https://docs.spring.io/spring/docs/4.2.x/spring-framework-reference/html/cors.html






    share|improve this answer



























      1














      public void addCorsMappings(CorsRegistry registry) 
      registry.addMapping("/api/**")
      .allowedOrigins("https://www.frontend.com", "https://www.test-frontend.com")
      .allowedMethods("GET");



      Reference: https://docs.spring.io/spring/docs/4.2.x/spring-framework-reference/html/cors.html






      share|improve this answer

























        1












        1








        1







        public void addCorsMappings(CorsRegistry registry) 
        registry.addMapping("/api/**")
        .allowedOrigins("https://www.frontend.com", "https://www.test-frontend.com")
        .allowedMethods("GET");



        Reference: https://docs.spring.io/spring/docs/4.2.x/spring-framework-reference/html/cors.html






        share|improve this answer













        public void addCorsMappings(CorsRegistry registry) 
        registry.addMapping("/api/**")
        .allowedOrigins("https://www.frontend.com", "https://www.test-frontend.com")
        .allowedMethods("GET");



        Reference: https://docs.spring.io/spring/docs/4.2.x/spring-framework-reference/html/cors.html







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 14 '18 at 21:20









        user2908623user2908623

        476




        476























            1














            First .allowedMethods use for allow methods so if you don't want to allow "GET" then put all others methods but do not put GET method, like below:



            .allowedMethods("PUT", "DELETE", "PATCH")


            and second you can not CORS by non-webapp clients like curl or Postman, any non web app client.






            share|improve this answer

























            • I had a similar configuration. I was using Postman, that was the problem.

              – Stamatis Rapanakis
              Nov 15 '18 at 8:29















            1














            First .allowedMethods use for allow methods so if you don't want to allow "GET" then put all others methods but do not put GET method, like below:



            .allowedMethods("PUT", "DELETE", "PATCH")


            and second you can not CORS by non-webapp clients like curl or Postman, any non web app client.






            share|improve this answer

























            • I had a similar configuration. I was using Postman, that was the problem.

              – Stamatis Rapanakis
              Nov 15 '18 at 8:29













            1












            1








            1







            First .allowedMethods use for allow methods so if you don't want to allow "GET" then put all others methods but do not put GET method, like below:



            .allowedMethods("PUT", "DELETE", "PATCH")


            and second you can not CORS by non-webapp clients like curl or Postman, any non web app client.






            share|improve this answer















            First .allowedMethods use for allow methods so if you don't want to allow "GET" then put all others methods but do not put GET method, like below:



            .allowedMethods("PUT", "DELETE", "PATCH")


            and second you can not CORS by non-webapp clients like curl or Postman, any non web app client.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited 2 days ago









            halfer

            14.6k758113




            14.6k758113










            answered Nov 15 '18 at 3:05









            kj007kj007

            2,74631327




            2,74631327












            • I had a similar configuration. I was using Postman, that was the problem.

              – Stamatis Rapanakis
              Nov 15 '18 at 8:29

















            • I had a similar configuration. I was using Postman, that was the problem.

              – Stamatis Rapanakis
              Nov 15 '18 at 8:29
















            I had a similar configuration. I was using Postman, that was the problem.

            – Stamatis Rapanakis
            Nov 15 '18 at 8:29





            I had a similar configuration. I was using Postman, that was the problem.

            – Stamatis Rapanakis
            Nov 15 '18 at 8:29

















            draft saved

            draft discarded
















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53308754%2fcors-with-spring-boot-restrict-get-requests-to-certain-domains%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            這個網誌中的熱門文章

            How to read a connectionString WITH PROVIDER in .NET Core?

            Node.js Script on GitHub Pages or Amazon S3

            Museum of Modern and Contemporary Art of Trento and Rovereto