文章来源:https://juejin.cn/post/7000578331485667359 作者:小棋子006
姿势1 实现 WebMvcConfigurer#addCorsMappings 的方法
import org.springframework.context.annotation.Configuration; import org.springframework.web.servlet.config.annotation.CorsRegistry; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; @Configuration public class CorsConfig implements WebMvcConfigurer { @Override public void addCorsMappings(CorsRegistry registry) { registry.addMapping("/**") .allowedOrigins("*") .allowedMethods("GET", "HEAD", "POST", "PUT", "DELETE", "OPTIONS") .allowCredentials(true) .maxAge(3600) .allowedHeaders("*"); } }
姿势2 重新注入 CorsFilter
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.UrlBasedCorsConfigurationSource; import org.springframework.web.filter.CorsFilter; /** * 解决跨域 */ @Configuration public class CorsFilterConfig { /** * 开启跨域访问拦截器 * * @date 2021/4/29 9:50 */ @Bean public CorsFilter corsFilter() { //创建CorsConfiguration对象后添加配置 CorsConfiguration corsConfiguration = new CorsConfiguration(); //设置放行哪些原始域 corsConfiguration.addAllowedOrigin("*"); //放行哪些原始请求头部信息 corsConfiguration.addAllowedHeader("*"); //放行哪些请求方式 corsConfiguration.addAllowedMethod("*"); UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); //2. 添加映射路径 source.registerCorsConfiguration("/**", corsConfiguration); return new CorsFilter(source); } }
姿势3 创建一个 filter 解决跨域
@Slf4j @Component @WebFilter(urlPatterns = { "/*" }, filterName = "headerFilter") public class HeaderFilter implements Filter { @Override public void doFilter(ServletRequest request, ServletResponse resp, FilterChain chain) throws IOException, ServletException { HttpServletResponse response = (HttpServletResponse) resp; //解决跨域访问报错 response.setHeader("Access-Control-Allow-Origin", "*"); response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE"); //设置过期时间 response.setHeader("Access-Control-Max-Age", "3600"); response.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, client_id, uuid, Authorization"); // 支持HTTP 1.1. response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // 支持HTTP 1.0. response.setHeader("Expires", "0"); response.setHeader("Pragma", "no-cache"); // 编码 response.setCharacterEncoding("UTF-8"); chain.doFilter(request, resp); } @Override public void init(FilterConfig filterConfig) { log.info("跨域过滤器启动"); } @Override public void destroy() { log.info("跨域过滤器销毁"); } }
姿势4 使用 CrossOrigin 注解
可以使用在单个方法上也可以使用在类上
@Target({ElementType.TYPE, ElementType.METHOD}) @Retention(RetentionPolicy.RUNTIME) @Documented public @interface CrossOrigin { /** @deprecated as of Spring 5.0, in favor of {@link CorsConfiguration#applyPermitDefaultValues} */ @Deprecated String[] DEFAULT_ORIGINS = {"*"}; /** @deprecated as of Spring 5.0, in favor of {@link CorsConfiguration#applyPermitDefaultValues} */ @Deprecated String[] DEFAULT_ALLOWED_HEADERS = {"*"}; /** @deprecated as of Spring 5.0, in favor of {@link CorsConfiguration#applyPermitDefaultValues} */ @Deprecated boolean DEFAULT_ALLOW_CREDENTIALS = false; /** @deprecated as of Spring 5.0, in favor of {@link CorsConfiguration#applyPermitDefaultValues} */ @Deprecated long DEFAULT_MAX_AGE = 1800; /** * Alias for {@link #origins}. */ @AliasFor("origins") String[] value() default {}; /** * A list of origins for which cross-origin requests are allowed. Please, * see {@link CorsConfiguration#setAllowedOrigins(List)} for details. * <p>By default all origins are allowed unless {@code originPatterns} is * also set in which case {@code originPatterns} is used instead. */ @AliasFor("value") String[] origins() default {}; /** * Alternative to {@link #origins()} that supports origins declared via * wildcard patterns. Please, see * @link CorsConfiguration#setAllowedOriginPatterns(List)} for details. * <p>By default this is not set. * @since 5.3 */ String[] originPatterns() default {}; /** * The list of request headers that are permitted in actual requests, * possibly {@code "*"} to allow all headers. * <p>Allowed headers are listed in the {@code Access-Control-Allow-Headers} * response header of preflight requests. * <p>A header name is not required to be listed if it is one of: * {@code Cache-Control}, {@code Content-Language}, {@code Expires}, * {@code Last-Modified}, or {@code Pragma} as per the CORS spec. * <p>By default all requested headers are allowed. */ String[] allowedHeaders() default {}; /** * The List of response headers that the user-agent will allow the client * to access on an actual response, other than "simple" headers, i.e. * {@code Cache-Control}, {@code Content-Language}, {@code Content-Type}, * {@code Expires}, {@code Last-Modified}, or {@code Pragma}, * <p>Exposed headers are listed in the {@code Access-Control-Expose-Headers} * response header of actual CORS requests. * <p>The special value {@code "*"} allows all headers to be exposed for * non-credentialed requests. * <p>By default no headers are listed as exposed. */ String[] exposedHeaders() default {}; /** * The list of supported HTTP request methods. * <p>By default the supported methods are the same as the ones to which a * controller method is mapped. */ RequestMethod[] methods() default {}; /** * Whether the browser should send credentials, such as cookies along with * cross domain requests, to the annotated endpoint. The configured value is * set on the {@code Access-Control-Allow-Credentials} response header of * preflight requests. * <p><strong>NOTE:</strong> Be aware that this option establishes a high * level of trust with the configured domains and also increases the surface * attack of the web application by exposing sensitive user-specific * information such as cookies and CSRF tokens. * <p>By default this is not set in which case the * {@code Access-Control-Allow-Credentials} header is also not set and * credentials are therefore not allowed. */ String allowCredentials() default ""; /** * The maximum age (in seconds) of the cache duration for preflight responses. * <p>This property controls the value of the {@code Access-Control-Max-Age} * response header of preflight requests. * <p>Setting this to a reasonable value can reduce the number of preflight * request/response interactions required by the browser. * A negative value means <em>undefined</em>. * <p>By default this is set to {@code 1800} seconds (30 minutes). */ long maxAge() default -1; }
使用方式:
public class GoodsController { @CrossOrigin(origins = "http://localhost:4000") @GetMapping("goods-url") public Response queryGoodsWithGoodsUrl(@RequestParam String goodsUrl) throws Exception {} }
没错就是 @CrossOrigin 注解,点开注解
@Target({ ElementType.METHOD, ElementType.TYPE }) @Retention(RetentionPolicy.RUNTIME) @Documented public @interface CrossOrigin {}
从元注解@Target可以看出,注解可以放在method、class等上面,类似RequestMapping,也就是说,整个controller下面的方法可以都受控制,也可以单个方法受控制。
也可以得知,这个是最小粒度的cors控制办法了,精确到单个请求级别。
以上三种方法都可以解决问题,最常用的应该是第一种、第二种,控制在自家几个域名范围下足以,一般没必要搞得太细。
这四种配置方式都用了的话,谁生效呢,类似css中样式,就近原则,懂了吧。所以在开发新项目时,不需要等联调时候,让前端来找你了,我早就解决了跨域问题。