利用CORS解决前后端分离的跨域资源问题

CORS 即CrossOrigin Resources Sharing-跨域资源共享，它定义了一种浏览器和服务器交互的方式来确定是否允许跨域请求。它是一个妥协，有更大的灵活性，但比起简单地允许所有这些的要求来说更加安全。简言之，CORS就是为了让AJAX可以实现可控的跨域访问而生的。

注意 CORS也具有一定的风险性，比如请求中只能说明来自于一个特定的域但不能验证是否可信，而且也容易被第三方入侵。

---

实现CORS的几种方式

• 通过自定义Filter

public class CorsFilter implements Filter {
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        HttpServletResponse httpServletResponse = (HttpServletResponse) response;
        httpServletResponse.setHeader("Access-Control-Allow-Origin", "*");
        httpServletResponse.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
        httpServletResponse.setHeader("Access-Control-Max-Age", "3600");
        httpServletResponse.setHeader("Access-Control-Allow-Headers",
                "Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With");
        httpServletResponse.setHeader("Access-Control-Allow-Credentials", "true");// 允许cookie
        chain.doFilter(request, response);
    }
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }
    @Override
    public void destroy() {
    }
}

<!-- CORS过滤器,需要确保CorsFilter的顺序先于其他的filters start -->
<filter>
    <filter-name>corsFilter</filter-name>
    <filter-class>com.springmvc.filter.CorsFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>corsFilter</filter-name>
    <url-pattern>*.do</url-pattern>
</filter-mapping>
<!-- CORS过滤器 end -->

• Spring3, Maven工程直接引用第三方依赖

<dependency>
    <groupId>com.thetransactioncompany</groupId>
    <artifactId>cors-filter</artifactId>
    <version>[ version ]</version>
</dependency>

<filter>  
    <filter-name>CORS</filter-name>  
    <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>  
    <init-param>  
        <param-name>cors.allowOrigin</param-name> 
        <param-value>*</param-value> 
    </init-param>  
    <init-param>  
        <param-name>cors.supportedMethods</param-name> 
        <param-value>GET, POST, HEAD, PUT, DELETE</param-value> 
    </init-param>  
    <init-param>  
        <param-name>cors.supportedHeaders</param-name> 
        <param-value>Accept, Origin, X-Requested-With, Content-Type, Last-Modified</param-value> 
    </init-param>  
    <init-param>  
        <param-name>cors.exposedHeaders</param-name> 
        <param-value>Set-Cookie</param-value> 
    </init-param>  
    <init-param>  
        <param-name>cors.supportsCredentials</param-name> 
        <param-value>true</param-value> 
    </init-param>  
</filter>  
<filter-mapping>  
    <filter-name>CORS</filter-name>  
    <url-pattern>/*</url-pattern>  
</filter-mapping>

• Spring 4.2以上

由于Spring 4.2版本开始，不需要引用第三方依赖：
在Spring MVC 中增加CORS支持非常简单，可以配置全局的规则，也可以使用@CrossOrigin注解进行细粒度的配置。

1.全局配置

配置在spring.xml文件中：

<!-- 允许所有的origins -->
<mvc:cors>
    <mvc:mapping path="/**" />
</mvc:cors>
<!-- 控制具体的访问路径和允许的域名 -->
<mvc:cors>
    <mvc:mapping path="/api/**"
        allowed-origins="http://domain1.com, http://domain2.com"
        allowed-methods="GET, PUT"
        allowed-headers="header1, header2, header3"
        exposed-headers="header1, header2" allow-credentials="false"
        max-age="123" />

    <mvc:mapping path="/resources/**"
        allowed-origins="http://domain1.com" />
</mvc:cors>

2.注解

可以作用在controller级别和method级别：

@CrossOrigin(origins = {"http://localhost:8585"}, maxAge = 4800, allowCredentials = "false")
@RestController
@RequestMapping("info")
public class PersonController {
	@Autowired
	private PersonService service;
	@CrossOrigin(origins = {"http://localhost:8787"}, maxAge = 6000)
	@RequestMapping("home")
	public List<Person> showData() {
		List<Person> list = service.getAllPerson();
		return list;
 	}
	@RequestMapping("nexthome")
	public List<Person> showDataNext() {
		List<Person> list = service.getAllPerson();
		return list;
 	}
} 

• SpringBoot

@Configuration
@EnableWebMvc
public class AppConfig extends WebMvcConfigurerAdapter {
	@Override
	public void addCorsMappings(CorsRegistry registry) {
	  registry.addMapping("/info/**")
	   	  .allowedOrigins("http://localhost:8585", "http://localhost:8787")
		  .allowedMethods("POST", "GET",  "PUT", "OPTIONS", "DELETE")
		  .allowedHeaders("X-Auth-Token", "Content-Type")
		  .exposedHeaders("custom-header1", "custom-header2")
		  .allowCredentials(false)
		  .maxAge(4800);
	}
} 

---

感谢阅读这份文档，希望有帮忙到您。