Springboot整合Shiro前后端分离跨域问题
前言:SpringBoot整合shiro进行前后端分离开发时(前端是Vue),项目做了跨域配置,但还是前端请求会出现cros err–显示的跨域问题(Access-Control-Allow-Origin )。后端没有任何报错显示,逐步分析才慢慢理解。
解决:如下是我的跨域配置:
package com.carshow.data.config;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* @Author xw
* @Description 跨域访问控制, 做前后分离的话,这个也是必配的
* @Date 2021/4/12 13:07
*/
@Configuration
public class CorsConfig implements Filter {
private CorsConfiguration buildConfig() {
CorsConfiguration corsConfiguration = new CorsConfiguration();
// 允许任何域名使用
corsConfiguration.addAllowedOriginPattern("*");
// 允许任何头
corsConfiguration.addAllowedHeader("*");
// 允许任何方法(post、get等)
corsConfiguration.addAllowedMethod("*");
//允许cookie
corsConfiguration.setAllowCredentials(true);// 是否支持安全证书(必需参数)
corsConfiguration.setMaxAge(3600L);// 预检请求的有效期,单位为秒。
corsConfiguration.addExposedHeader("set-cookie");
corsConfiguration.addExposedHeader("access-control-allow-headers");
corsConfiguration.addExposedHeader("access-control-allow-methods");
corsConfiguration.addExposedHeader("access-control-allow-origin");
corsConfiguration.addExposedHeader("access-control-max-age");
corsConfiguration.addExposedHeader("X-Frame-Options");
return corsConfiguration;
}
@Bean
public CorsFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
// 对接口配置跨域设置
source.registerCorsConfiguration("/**", buildConfig());
return new CorsFilter(source);
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
response.setHeader("Access-control-Allow-Origin", request.getHeader("Origin"));
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Headers", request.getHeader("Access-Control-Request-Headers"));
response.addHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE, PUT");
if ("OPTIONS".equals(request.getMethod())) {
response.setStatus(HttpStatus.NO_CONTENT.value());
return;
} else {
filterChain.doFilter(request, response);
}
}
@Bean
public FilterRegistrationBean replaceTokenFilter(){
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setDispatcherTypes(DispatcherType.REQUEST);
registration.setFilter( new CorsConfig ());
registration.addUrlPatterns("/*");
registration.setName("crosFilter ");
registration.setOrder(1);
return registration;
}
}
原因:浏览器会在发送真正请求之前,先发送一个方法为OPTIONS的预检请求 Preflighted requests 这个请求是用来验证本次请求是否安全的,而且并不是所有请求都会发送,需要符合以下条件:
- 请求方法不是GET/HEAD/POST
- POST请求的Content-Type并非application/x-www-form-urlencoded, multipart/form-data, 或text/plain
- 请求设置了自定义的header字段
后端使用了shiro安全框架,每次请求需要在header中携带自定义的字段(Authorization),所以浏览器会多发送一个OPTIONS请求,但是OPTIONS请求不会携带Authorization,后端验证不通,所以会产生跨域问题。
解决问题关键点:使用拦截器解决跨域问题,并且针对OPTIONS请求做放行处理
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
response.setHeader("Access-control-Allow-Origin", request.getHeader("Origin"));
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Headers", request.getHeader("Access-Control-Request-Headers"));
response.addHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE, PUT");
if ("OPTIONS".equals(request.getMethod())) {
response.setStatus(HttpStatus.NO_CONTENT.value());
return;
} else {
filterChain.doFilter(request, response);
}
}
@Bean
public FilterRegistrationBean replaceTokenFilter(){
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setDispatcherTypes(DispatcherType.REQUEST);
registration.setFilter( new CorsConfig ());
registration.addUrlPatterns("/*");
registration.setName("crosFilter ");
registration.setOrder(1);
return registration;
}
OK!