@RequestMapping(method = RequestMethod.POST, value = "/update.json", produces = MediaType.APPLICATION_JSON_VALUE)
public @ResponseBody Contacter update(@RequestBody Contacter contacterRO) {
	logger.debug("get update request {}", contacterRO.toString());
	if (contacterRO.getUserId() == 123) {
		contacterRO.setUserName("adminUpdate-wangdachui");
	}
	return contacterRO;
}

(function() {
	var url = "http://localhost:8080/api/Home/update.json";
	var data = {
	    "userId": 123,
	    "userName": "wangdachui"
	  };
	$.ajax({
		url: url,
		    type: 'POST',
		    dataType: 'json',
		    data: $.toJSON(data),
		    contentType: 'application/json'
	}
	).done(function(result) {
		console.log("success");
		console.log(result);
	}
	).fail(function() {
		console.log("error");
	}
	)
}
)()

Object {userId: 123, userName: "adminUpdate-wangdachui"}

OPTIONS http://localhost:8080/api/Home/update.json
XMLHttpRequest cannot load http://localhost:8080/api/Home/update.json. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. The response had HTTP status code 403.

Access-Control-Allow-Origin: http://foo.org
Access-Control-Max-Age: 3628800
Access-Control-Allow-Methods: GET，PUT, DELETE
Access-Control-Allow-Headers: content-type
"Access-Control-Allow-Origin"表明它允許"http://foo.org"發(fā)起跨域請求
"Access-Control-Max-Age"表明在3628800秒內(nèi)，不需要再發(fā)送預(yù)檢驗請求，可以緩存該結(jié)果
"Access-Control-Allow-Methods"表明它允許GET、PUT、DELETE的外域請求
"Access-Control-Allow-Headers"表明它允許跨域請求包含content-type頭

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. The response had HTTP status code 403.

DEBUG requestURL:/api/Home/update.json 
DEBUG method:OPTIONS 
DEBUG header host:localhost:8080 
DEBUG header connection:keep-alive 
DEBUG header cache-control:max-age=0 
DEBUG header access-control-request-method:POST 
DEBUG header origin:null 
DEBUG header user-agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36 
DEBUG header access-control-request-headers:accept, content-type 
DEBUG header accept:*/* 
DEBUG header accept-encoding:gzip, deflate, sdch 
DEBUG header accept-language:zh-CN,zh;q=0.8,en;q=0.6 

@Override
public final HandlerExecutionChain getHandler(HttpServletRequest request) throws Exception {
	Object handler = getHandlerInternal(request);
	if (handler == null) {
		handler = getDefaultHandler();
	}
	if (handler == null) {
		return null;
	}
	// Bean name or resolved handler?
	if (handler instanceof String) {
		String handlerName = (String) handler;
		handler = getApplicationContext().getBean(handlerName);
	}
	HandlerExecutionChain executionChain = getHandlerExecutionChain(handler, request);
	if (CorsUtils.isCorsRequest(request)) {
		CorsConfiguration globalConfig = this.corsConfigSource.getCorsConfiguration(request);
		CorsConfiguration handlerConfig = getCorsConfiguration(handler, request);
		CorsConfiguration config = (globalConfig != null ? globalConfig.combine(handlerConfig) : handlerConfig);
		executionChain = getCorsHandlerExecutionChain(request, executionChain, config);
	}
	return executionChain;
}

public static boolean isCorsRequest(HttpServletRequest request) {
	return (request.getHeader(HttpHeaders.ORIGIN) != null);
}

@Override
public void handleRequest(HttpServletRequest request, HttpServletResponse response) throws IOException {
	corsProcessor.processRequest(this.config, request, response);
}

@Override
public Boolean processRequest(CorsConfiguration config, HttpServletRequest request, HttpServletResponse response)
		throws IOException {
	if (!CorsUtils.isCorsRequest(request)) {
		return true;
	}
	ServletServerHttpResponse serverResponse = new ServletServerHttpResponse(response);
	ServletServerHttpRequest serverRequest = new ServletServerHttpRequest(request);
	if (WebUtils.isSameOrigin(serverRequest)) {
		logger.debug("Skip CORS processing, request is a same-origin one");
		return true;
	}
	if (responseHasCors(serverResponse)) {
		logger.debug("Skip CORS processing, response already contains \"Access-Control-Allow-Origin\" header");
		return true;
	}
	Boolean preFlightRequest = CorsUtils.isPreFlightRequest(request);
	if (config == null) {
		if (preFlightRequest) {
			rejectRequest(serverResponse);
			return false;
		} else {
			return true;
		}
	}
	return handleInternal(serverRequest, serverResponse, config, preFlightRequest);
}

response.setHeader("Access-Control-Allow-Origin", "*");

Request header field Content-Type is not allowed by Access-Control-Allow-Headers in preflight response.

response.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");

public class CorsConfigurerAdapter extends WebMvcConfigurerAdapter{
	@Override
		public void addCorsMappings(CorsRegistry registry) {
		registry.addMapping("/api/*").allowedOrigins("*");
	}
}

<bean class="com.tmall.wireless.angel.web.config.CorsConfigurerAdapter"></bean>