Spring Cloud Gateway系列(二):CORS跨域配置

        对于云Paas平台，对外提供的API需要满足客户多种场景的调用需求，其中就包括WEB端的对接。由于浏览器同源策略的限制，Spring Cloud Gateway接收到的客户WEB场景下请求必然存在跨域问题，浏览器将CORS请求分成两类：简单请求（simple request）和非简单请求（not-so-simple request）。这篇文章对CORS进行了详细的介绍，拜读之后受益匪浅。https://www.ruanyifeng.com/blog/2016/04/cors.html

 SpringBoot自动装配的核心就是在启动的时候从类路径下的META-INF/spring.factories中获取EnableAutoConfiguration指定的值，将这些值作为自动配置类导入到容器中，使自动配置类生效，帮我们进行自动配置工作。 

SimpleUrlHandlerMappingGlobalCorsAutoConfiguration类 

@Configuration
@ConditionalOnClass(SimpleUrlHandlerMapping.class)
@ConditionalOnProperty(name = "spring.cloud.gateway.globalcors.add-to-simple-url-handler-mapping", matchIfMissing = false)
public class SimpleUrlHandlerMappingGlobalCorsAutoConfiguration {

	@Autowired
	private GlobalCorsProperties globalCorsProperties;

	@Autowired
	private SimpleUrlHandlerMapping simpleUrlHandlerMapping;

	@PostConstruct
	void config() {
       //设置到在application.properties文件中定义的CORS相关的属性
		simpleUrlHandlerMapping
				.setCorsConfigurations(globalCorsProperties.getCorsConfigurations());
	}

}

SimpleUrlHandlerMapping类是AbstractHandlerMapping的子类，实际进入的是AbstractHandlerMapping的setCorsConfigurations方法。 

 Gateway对CORS处理的核心方法是AbstractHandlerMapping的getHandler(exchange)方法，我们在配置文件中指定的全局跨域规则就是在这个方法里生效的！

/*application.properties文件中指定的跨域配置就是在这里生效的
*/
public void setCorsConfigurations(Map<String, CorsConfiguration> corsConfigurations) {
		Assert.notNull(corsConfigurations, "corsConfigurations must not be null");
		this.corsConfigurationSource = new UrlBasedCorsConfigurationSource(this.patternParser);
		((UrlBasedCorsConfigurationSource) this.corsConfigurationSource).setCorsConfigurations(corsConfigurations);
	}

@Override
public Mono<Object> getHandler(ServerWebExchange exchange) {
               /*getHandlerInternal方法是一个抽象方法
                 由AbstractHandlerMapping的子类实现该方法
                */
		return getHandlerInternal(exchange).map(handler -> {
			if (logger.isDebugEnabled()) {
				logger.debug(exchange.getLogPrefix() + "Mapped to " + handler);
			}
            /* REQUEST_HANDLED_HANDLER是一个函数式接口 exhange->Mono.empty()
               如果客户端请求是跨域请求，就会去读区配置文件
               判断当前请求是否允许跨域         
            */
			if (CorsUtils.isCorsRequest(exchange.getRequest())) {
                /*从上面方法可以看到
                 实例化的是UrlBasedCorsConfigurationSource*/
				CorsConfiguration configA = this.corsConfigurationSource.getCorsConfiguration(exchange);
				CorsConfiguration configB = getCorsConfiguration(handler, exchange);
				CorsConfiguration config = (configA != null ? configA.combine(configB) : configB);
                /*
                  CORS的核心 使用的是Spring5特有的PathPattern
                  这里先给出跨域配置样例，后续会专门分析这个方法
spring.cloud.gateway.globalcors.corsConfigurations.[/*/*/users/*/message_roaming/*].allowedOrigins=*
spring.cloud.gateway.globalcors.corsConfigurations.[/*/*/users/*/message_roaming/*].allowedHeaders=*
spring.cloud.gateway.globalcors.corsConfigurations.[/*/*/users/*/message_roaming/*].allowedMethods=*
spring.cloud.gateway.globalcors.corsConfigurations.[/*/*/users/*/message_roaming/*].allowCredentials=true
spring.cloud.gateway.globalcors.corsConfigurations.[/*/*/users/*/message_roaming/*].maxAge=1728000
                  需要特别注意的就是，如果客户端请求是跨域请求
                  如果存在配置属性与之匹配，就会放行
                  如果不存在，则会拒绝该请求，设置ResponseHeader，返回REQUEST_HANDLED_HANDLER，
                */
				if (!getCorsProcessor().process(config, exchange) ||
						CorsUtils.isPreFlightRequest(exchange.getRequest())) {
					return REQUEST_HANDLED_HANDLER;
				}
			}
			return handler;
		});
}

UrlBasedCorsConfigurationSource类的getCorsConfiguration(exchange)方法简单明了，Spring5使用了全新的路径解析器PathPattern，抛弃了原先的AntPathMatcher。新的路径匹配器围绕着PathPattern拥有一套体系，在设计上更具模块化、更加面向对象，从而拥有了更好的可读性和可扩展性。

/**
 * Provide a per reactive request {@link CorsConfiguration} instance based on a
 * collection of {@link CorsConfiguration} mapped on path patterns.
 *
 * <p>Exact path mapping URIs (such as {@code "/admin"}) are supported
 * as well as Ant-style path patterns (such as {@code "/admin/**"}).
 *
 * @author Sebastien Deleuze
 * @author Brian Clozel
 * @since 5.0
 */
public class UrlBasedCorsConfigurationSource implements CorsConfigurationSource {

	private final Map<PathPattern, CorsConfiguration> corsConfigurations;

	@Override
	@Nullable
	public CorsConfiguration getCorsConfiguration(ServerWebExchange exchange) {
		PathContainer lookupPath = exchange.getRequest().getPath().pathWithinApplication();
		return this.corsConfigurations.entrySet().stream()
				.filter(entry -> entry.getKey().matches(lookupPath))
				.map(Map.Entry::getValue)
				.findFirst()
				.orElse(null);
	}

}

如果CORS请求能够通过PathPattern与application.properties文件指定的配置相匹配，就能得到CorsConfiguration类，接着就是AbstractHandlerMapping中的getCorsProcessor().process(config, exchange)方法调用，对跨域请求Response请求HttpHeader的设置，通俗易懂，有兴趣的话可以分析一下。

CorsUtils工具类

/**
 * Utility class for CORS reactive request handling based on the
 * <a href="https://www.w3.org/TR/cors/">CORS W3C recommendation</a>.
 *
 * @author Sebastien Deleuze
 * @since 5.0
 */
public abstract class CorsUtils {

	/**通过HttpHeader是否含有请求头Origin判断请求是否为跨域请求
	 * Returns {@code true} if the request is a valid CORS one.
	 */
	public static boolean isCorsRequest(ServerHttpRequest request) {
		return (request.getHeaders().get(HttpHeaders.ORIGIN) != null);
	}

	/**
     *对于CORS非简单请求 浏览器会首先发起HttpMethod为OPITION的预检请求
	 * Returns {@code true} if the request is a valid CORS pre-flight one.
	 */
	public static boolean isPreFlightRequest(ServerHttpRequest request) {
		return (request.getMethod() == HttpMethod.OPTIONS && isCorsRequest(request) &&
				request.getHeaders().get(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD) != null);
	}
}