Spring @CrossOrigin 注解原理实现

现实开发中，我们难免遇到跨域问题，以前笔者只知道jsonp这种解决方式，后面听说spring只要加入@CrossOrigin即可解决跨域问题。本着好奇的心里，笔者看了下@CrossOrigin 作用原理，写下这篇博客。

先说原理：其实很简单，就是利用spring的拦截器实现往response里添加 Access-Control-Allow-Origin等响应头信息，我们可以看下spring是怎么做的

注：这里使用的spring版本为5.0.6

我们可以先往RequestMappingHandlerMapping 的initCorsConfiguration方法打一个断点，发现方法调用情况如下

如果controller在类上标了@CrossOrigin或在方法上标了@CrossOrigin注解，则spring 在记录mapper映射时会记录对应跨域请求映射，代码如下

1. RequestMappingHandlerMapping
2. protected CorsConfiguration initCorsConfiguration(Object handler, Method method, RequestMappingInfo mappingInfo) {
3. HandlerMethod handlerMethod = createHandlerMethod(handler, method);
4. Class<?> beanType = handlerMethod.getBeanType();
5. //获取handler上的CrossOrigin 注解
6. CrossOrigin typeAnnotation = AnnotatedElementUtils.findMergedAnnotation(beanType, CrossOrigin.class);
7. //获取handler 方法上的CrossOrigin 注解
8. CrossOrigin methodAnnotation = AnnotatedElementUtils.findMergedAnnotation(method, CrossOrigin.class);
10. if (typeAnnotation == null && methodAnnotation == null) {
11. //如果类上和方法都没标CrossOrigin 注解，则返回一个null
12. return null;
13. }
14. //构建一个CorsConfiguration 并返回
15. CorsConfiguration config = new CorsConfiguration();
16. updateCorsConfig(config, typeAnnotation);
17. updateCorsConfig(config, methodAnnotation);
19. if (CollectionUtils.isEmpty(config.getAllowedMethods())) {
20. for (RequestMethod allowedMethod : mappingInfo.getMethodsCondition().getMethods()) {
21. config.addAllowedMethod(allowedMethod.name());
22. }
23. }
24. return config.applyPermitDefaultValues();
25. }

将结果返回到了AbstractHandlerMethodMapping#register，主要代码如下

1. CorsConfiguration corsConfig = initCorsConfiguration(handler, method, mapping);
2. if (corsConfig != null) {
3. //会保存handlerMethod处理跨域请求的配置
4. this.corsLookup.put(handlerMethod, corsConfig);
5. }

当一个跨域请求过来时，spring在获取handler时会判断这个请求是否是一个跨域请求，如果是，则会返回一个可以处理跨域的handler

1. AbstractHandlerMapping#getHandler
2. HandlerExecutionChain executionChain = getHandlerExecutionChain(handler, request);
3. //如果是一个跨域请求
4. if (CorsUtils.isCorsRequest(request)) {
5. //拿到跨域的全局配置
6. CorsConfiguration globalConfig = this.globalCorsConfigSource.getCorsConfiguration(request);
7. //拿到hander的跨域配置
8. CorsConfiguration handlerConfig = getCorsConfiguration(handler, request);
9. CorsConfiguration config = (globalConfig != null ? globalConfig.combine(handlerConfig) : handlerConfig);
10. //处理跨域（即往响应头添加Access-Control-Allow-Origin信息等），并返回对应的handler对象
11. executionChain = getCorsHandlerExecutionChain(request, executionChain, config);
12. }

我们可以看下如何判定一个请求是一个跨域请求，

1. public static boolean isCorsRequest(HttpServletRequest request) {
2. //判定请求头是否有Origin 属性即可
3. return (request.getHeader(HttpHeaders.ORIGIN) != null);
4. }

再看下getCorsHandlerExecutionChain 是如何获取一个handler

1. protected HandlerExecutionChain getCorsHandlerExecutionChain(HttpServletRequest request,
2. HandlerExecutionChain chain, @Nullable CorsConfiguration config) {
4. if (CorsUtils.isPreFlightRequest(request)) {
5. HandlerInterceptor[] interceptors = chain.getInterceptors();
6. chain = new HandlerExecutionChain(new PreFlightHandler(config), interceptors);
7. }
8. else {
9. //只是给执行器链添加了一个拦截器
10. chain.addInterceptor(new CorsInterceptor(config));
11. }
12. return chain;
13. }

也就是在调用目标方法前会先调用CorsInterceptor#preHandle，我们观察得到其也是调用了corsProcessor.processRequest方法，我们往这里打个断点

processRequest方法的主要逻辑如下

1. public boolean processRequest(@Nullable CorsConfiguration config, HttpServletRequest request,
2. HttpServletResponse response) throws IOException {
3. //....
4. //调用了自身的handleInternal方法
5. return handleInternal(serverRequest, serverResponse, config, preFlightRequest);
6. }
8. protected boolean handleInternal(ServerHttpRequest request, ServerHttpResponse response,
9. CorsConfiguration config, boolean preFlightRequest) throws IOException {
11. String requestOrigin = request.getHeaders().getOrigin();
12. String allowOrigin = checkOrigin(config, requestOrigin);
13. HttpHeaders responseHeaders = response.getHeaders();
15. responseHeaders.addAll(HttpHeaders.VARY, Arrays.asList(HttpHeaders.ORIGIN,
16. HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS));
18. if (allowOrigin == null) {
19. logger.debug("Rejecting CORS request because '" + requestOrigin + "' origin is not allowed");
20. rejectRequest(response);
21. return false;
22. }
24. HttpMethod requestMethod = getMethodToUse(request, preFlightRequest);
25. List<HttpMethod> allowMethods = checkMethods(config, requestMethod);
26. if (allowMethods == null) {
27. logger.debug("Rejecting CORS request because '" + requestMethod + "' request method is not allowed");
28. rejectRequest(response);
29. return false;
30. }
32. List<String> requestHeaders = getHeadersToUse(request, preFlightRequest);
33. List<String> allowHeaders = checkHeaders(config, requestHeaders);
34. if (preFlightRequest && allowHeaders == null) {
35. logger.debug("Rejecting CORS request because '" + requestHeaders + "' request headers are not allowed");
36. rejectRequest(response);
37. return false;
38. }
39. //设置响应头
40. responseHeaders.setAccessControlAllowOrigin(allowOrigin);
42. if (preFlightRequest) {
43. responseHeaders.setAccessControlAllowMethods(allowMethods);
44. }
46. if (preFlightRequest && !allowHeaders.isEmpty()) {
47. responseHeaders.setAccessControlAllowHeaders(allowHeaders);
48. }
50. if (!CollectionUtils.isEmpty(config.getExposedHeaders())) {
51. responseHeaders.setAccessControlExposeHeaders(config.getExposedHeaders());
52. }
54. if (Boolean.TRUE.equals(config.getAllowCredentials())) {
55. responseHeaders.setAccessControlAllowCredentials(true);
56. }
58. if (preFlightRequest && config.getMaxAge() != null) {
59. responseHeaders.setAccessControlMaxAge(config.getMaxAge());
60. }
61. //刷新
62. response.flush();
63. return true;
64. }

至此@CrossOrigin的使命就完成了，说白了就是用拦截器给response添加响应头信息而已