对于云Paas平台,对外提供的API需要满足客户多种场景的调用需求,其中就包括WEB端的对接。由于浏览器同源策略的限制,Spring Cloud Gateway接收到的客户WEB场景下请求必然存在跨域问题,浏览器将CORS请求分成两类:简单请求(simple request)和非简单请求(not-so-simple request)。这篇文章对CORS进行了详细的介绍,拜读之后受益匪浅。https://www.ruanyifeng.com/blog/2016/04/cors.html
SpringBoot自动装配的核心就是在启动的时候从类路径下的META-INF/spring.factories中获取EnableAutoConfiguration指定的值,将这些值作为自动配置类导入到容器中,使自动配置类生效,帮我们进行自动配置工作。
SimpleUrlHandlerMappingGlobalCorsAutoConfiguration类
@Configuration
@ConditionalOnClass(SimpleUrlHandlerMapping.class)
@ConditionalOnProperty(name = "spring.cloud.gateway.globalcors.add-to-simple-url-handler-mapping", matchIfMissing = false)
public class SimpleUrlHandlerMappingGlobalCorsAutoConfiguration {
@Autowired
private GlobalCorsProperties globalCorsProperties;
@Autowired
private SimpleUrlHandlerMapping simpleUrlHandlerMapping;
@PostConstruct
void config() {
//设置到在application.properties文件中定义的CORS相关的属性
simpleUrlHandlerMapping
.setCorsConfigurations(globalCorsProperties.getCorsConfigurations());
}
}
SimpleUrlHandlerMapping类是AbstractHandlerMapping的子类,实际进入的是AbstractHandlerMapping的setCorsConfigurations方法。
Gateway对CORS处理的核心方法是AbstractHandlerMapping的getHandler(exchange)方法,我们在配置文件中指定的全局跨域规则就是在这个方法里生效的!
/*application.properties文件中指定的跨域配置就是在这里生效的
*/
public void setCorsConfigurations(Map<String, CorsConfiguration> corsConfigurations) {
Assert.notNull(corsConfigurations, "corsConfigurations must not be null");
this.corsConfigurationSource = new UrlBasedCorsConfigurationSource(this.patternParser);
((UrlBasedCorsConfigurationSource) this.corsConfigurationSource).setCorsConfigurations(corsConfigurations);
}
@Override
public Mono<Object> getHandler(ServerWebExchange exchange) {
/*getHandlerInternal方法是一个抽象方法
由AbstractHandlerMapping的子类实现该方法
*/
return getHandlerInternal(exchange).map(handler -> {
if (logger.isDebugEnabled()) {
logger.debug(exchange.getLogPrefix() + "Mapped to " + handler);
}
/* REQUEST_HANDLED_HANDLER是一个函数式接口 exhange->Mono.empty()
如果客户端请求是跨域请求,就会去读区配置文件
判断当前请求是否允许跨域
*/
if (CorsUtils.isCorsRequest(exchange.getRequest())) {
/*从上面方法可以看到
实例化的是UrlBasedCorsConfigurationSource*/
CorsConfiguration configA = this.corsConfigurationSource.getCorsConfiguration(exchange);
CorsConfiguration configB = getCorsConfiguration(handler, exchange);
CorsConfiguration config = (configA != null ? configA.combine(configB) : configB);
/*
CORS的核心 使用的是Spring5特有的PathPattern
这里先给出跨域配置样例,后续会专门分析这个方法
spring.cloud.gateway.globalcors.corsConfigurations.[/*/*/users/*/message_roaming/*].allowedOrigins=*
spring.cloud.gateway.globalcors.corsConfigurations.[/*/*/users/*/message_roaming/*].allowedHeaders=*
spring.cloud.gateway.globalcors.corsConfigurations.[/*/*/users/*/message_roaming/*].allowedMethods=*
spring.cloud.gateway.globalcors.corsConfigurations.[/*/*/users/*/message_roaming/*].allowCredentials=true
spring.cloud.gateway.globalcors.corsConfigurations.[/*/*/users/*/message_roaming/*].maxAge=1728000
需要特别注意的就是,如果客户端请求是跨域请求
如果存在配置属性与之匹配,就会放行
如果不存在,则会拒绝该请求,设置ResponseHeader,返回REQUEST_HANDLED_HANDLER,
*/
if (!getCorsProcessor().process(config, exchange) ||
CorsUtils.isPreFlightRequest(exchange.getRequest())) {
return REQUEST_HANDLED_HANDLER;
}
}
return handler;
});
}
UrlBasedCorsConfigurationSource类的getCorsConfiguration(exchange)方法简单明了,Spring5使用了全新的路径解析器PathPattern,抛弃了原先的AntPathMatcher。新的路径匹配器围绕着PathPattern拥有一套体系,在设计上更具模块化、更加面向对象,从而拥有了更好的可读性和可扩展性。
/**
* Provide a per reactive request {@link CorsConfiguration} instance based on a
* collection of {@link CorsConfiguration} mapped on path patterns.
*
* <p>Exact path mapping URIs (such as {@code "/admin"}) are supported
* as well as Ant-style path patterns (such as {@code "/admin/**"}).
*
* @author Sebastien Deleuze
* @author Brian Clozel
* @since 5.0
*/
public class UrlBasedCorsConfigurationSource implements CorsConfigurationSource {
private final Map<PathPattern, CorsConfiguration> corsConfigurations;
@Override
@Nullable
public CorsConfiguration getCorsConfiguration(ServerWebExchange exchange) {
PathContainer lookupPath = exchange.getRequest().getPath().pathWithinApplication();
return this.corsConfigurations.entrySet().stream()
.filter(entry -> entry.getKey().matches(lookupPath))
.map(Map.Entry::getValue)
.findFirst()
.orElse(null);
}
}
如果CORS请求能够通过PathPattern与application.properties文件指定的配置相匹配,就能得到CorsConfiguration类,接着就是AbstractHandlerMapping中的getCorsProcessor().process(config, exchange)方法调用,对跨域请求Response请求HttpHeader的设置,通俗易懂,有兴趣的话可以分析一下。
CorsUtils工具类
/**
* Utility class for CORS reactive request handling based on the
* <a href="https://www.w3.org/TR/cors/">CORS W3C recommendation</a>.
*
* @author Sebastien Deleuze
* @since 5.0
*/
public abstract class CorsUtils {
/**通过HttpHeader是否含有请求头Origin判断请求是否为跨域请求
* Returns {@code true} if the request is a valid CORS one.
*/
public static boolean isCorsRequest(ServerHttpRequest request) {
return (request.getHeaders().get(HttpHeaders.ORIGIN) != null);
}
/**
*对于CORS非简单请求 浏览器会首先发起HttpMethod为OPITION的预检请求
* Returns {@code true} if the request is a valid CORS pre-flight one.
*/
public static boolean isPreFlightRequest(ServerHttpRequest request) {
return (request.getMethod() == HttpMethod.OPTIONS && isCorsRequest(request) &&
request.getHeaders().get(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD) != null);
}
}