Spring跨域处理多种方式(<mvc:cors>,@CrossOrigin)
简单来说, 会根据请求头的Origin,判断是否为跨域请求. 通过设置responseHeaders(Access-Control-Allow-Origin等), 来允许跨域请求.(注意OPTIONS请求才会设置其他Access-Control-Allow-*头)
总的来说, 可以在Filter(CorsFilter) 或 Interceptor(CorsInterceptor)中判断并设置处理headers.(当然Spring提供的类, 最后的都复用同一个类DefaultCorsProcessor).
可以基于xml或纯java配置, 源码分析基于Spring 5.2.5, 为了简洁会省去部分源码.
方式一: @CrossOrigin
可以在类或方法上添加, 最终会保存到Map<HandlerMethod
,CorsConfiguration
>(参考源码:AbstractHandlerMethodMapping,MappingRegistry)
该方式是基于Interceptor,参考源码:
// 基于RequestMappingHandlerMapping分析
public abstract class AbstractHandlerMapping {
@Override
public final HandlerExecutionChain getHandler(HttpServletRequest request) throws Exception {
// ...
if (hasCorsConfigurationSource(handler) || CorsUtils.isPreFlightRequest(request)) {
CorsConfiguration config = (this.corsConfigurationSource != null this.corsConfigurationSource.getCorsConfiguration(request) : null);
// 找到cors配置
CorsConfiguration handlerConfig = getCorsConfiguration(handler, request);
config = (config != null ? config.combine(handlerConfig) : handlerConfig);
executionChain = getCorsHandlerExecutionChain(request, executionChain, config);
}
return executionChain;
}
protected HandlerExecutionChain getCorsHandlerExecutionChain(HttpServletRequest request,
HandlerExecutionChain chain, @Nullable CorsConfiguration config) {
if (CorsUtils.isPreFlightRequest(request)) {
HandlerInterceptor[] interceptors = chain.getInterceptors();
chain = new HandlerExecutionChain(new PreFlightHandler(config), interceptors);
}
else {
// 创建拦截器
chain.addInterceptor(0, new CorsInterceptor(config));
}
return chain;
}
}
从第8行和第25行得出, 找到cors配置并创建CorsInterceptor拦截器, 拦截器最终会调用DefaultCorsProcessor
public class DefaultCorsProcessor implements CorsProcessor {
protected boolean handleInternal(ServerHttpRequest request, ServerHttpResponse response,
CorsConfiguration config, boolean preFlightRequest) throws IOException {
// ...
responseHeaders.setAccessControlAllowOrigin(allowOrigin);
if (preFlightRequest) {
responseHeaders.setAccessControlAllowMethods(allowMethods);
}
// ...
}
}
@CrossOrigin 缺省存在默认值, 具体看注解和CorsConfiguration#applyPermitDefaultValues
方式二: <mvc:cors>
在xml中配置, 与@CrossOrigin不同的是, 可以可以自定mapping, 从而配置整个项目, 其他是类似的也是基于Interceptor
<mvc:cors>
<mvc:mapping path="/**" />
</mvc:cors>
mapping上还有其他自定义选项
方式三: CorsFilter
该方式类似于方式二, 不过是基于Filter, 当然背后走的是同一套逻辑.
@Configuration
public class MyConfiguration {
@Bean
public FilterRegistrationBean corsFilter() {
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", config); // 类似方式二
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
bean.setOrder(0);
return bean;
}
}