Springboot 解决跨域的四种姿势 !
实现 WebMvcConfigurer#addCorsMappings 的方法
import org.springframework.context.annotation.Configuration; import org.springframework.web.servlet.config.annotation.CorsRegistry; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; @Configuration public class CorsConfig implements WebMvcConfigurer { @Override public void addCorsMappings(CorsRegistry registry) { registry.addMapping("/**") .allowedOrigins("*") .allowedMethods("GET", "HEAD", "POST", "PUT", "DELETE", "OPTIONS") .allowCredentials(true) .maxAge(3600) .allowedHeaders("*"); } }
姿势二
“重新注入 CorsFilter
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.UrlBasedCorsConfigurationSource; import org.springframework.web.filter.CorsFilter; /** * 解决跨域 */ @Configuration public class CorsFilterConfig { /** * 开启跨域访问拦截器 * * @date 2021/4/29 9:50 */ @Bean public CorsFilter corsFilter() { //创建CorsConfiguration对象后添加配置 CorsConfiguration corsConfiguration = new CorsConfiguration(); //设置放行哪些原始域 corsConfiguration.addAllowedOrigin("*"); //放行哪些原始请求头部信息 corsConfiguration.addAllowedHeader("*"); //放行哪些请求方式 corsConfiguration.addAllowedMethod("*"); UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); //2. 添加映射路径 source.registerCorsConfiguration("/**", corsConfiguration); return new CorsFilter(source); } }
姿势三
“创建一个 filter 解决跨域
@Slf4j @Component @WebFilter(urlPatterns = { "/*" }, filterName = "headerFilter") public class HeaderFilter implements Filter { @Override public void doFilter(ServletRequest request, ServletResponse resp, FilterChain chain) throws IOException, ServletException { HttpServletResponse response = (HttpServletResponse) resp; //解决跨域访问报错 response.setHeader("Access-Control-Allow-Origin", "*"); response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE"); //设置过期时间 response.setHeader("Access-Control-Max-Age", "3600"); response.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, client_id, uuid, Authorization"); // 支持HTTP 1.1. response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // 支持HTTP 1.0. response.setHeader("Expires", "0"); response.setHeader("Pragma", "no-cache"); // 编码 response.setCharacterEncoding("UTF-8"); chain.doFilter(request, resp); } @Override public void init(FilterConfig filterConfig) { log.info("跨域过滤器启动"); } @Override public void destroy() { log.info("跨域过滤器销毁"); } }
姿势四
“使用 CrossOrigin 注解
可以使用在单个方法上也可以使用在类上
Target({ElementType.TYPE, ElementType.METHOD}) @Retention(RetentionPolicy.RUNTIME) @Documented public @interface CrossOrigin { /** @deprecated as of Spring 5.0, in favor of {@link CorsConfiguration#applyPermitDefaultValues} */ @Deprecated String[] DEFAULT_ORIGINS = {"*"}; /** @deprecated as of Spring 5.0, in favor of {@link CorsConfiguration#applyPermitDefaultValues} */ @Deprecated String[] DEFAULT_ALLOWED_HEADERS = {"*"}; /** @deprecated as of Spring 5.0, in favor of {@link CorsConfiguration#applyPermitDefaultValues} */ @Deprecated boolean DEFAULT_ALLOW_CREDENTIALS = false; /** @deprecated as of Spring 5.0, in favor of {@link CorsConfiguration#applyPermitDefaultValues} */ @Deprecated long DEFAULT_MAX_AGE = 1800; /** * Alias for {@link #origins}. */ @AliasFor("origins") String[] value() default {}; /** * A list of origins for which cross-origin requests are allowed. Please, * see {@link CorsConfiguration#setAllowedOrigins(List)} for details. *By default all origins are allowed unless {@code originPatterns} is * also set in which case {@code originPatterns} is used instead. */ @AliasFor("value") String[] origins() default {}; /** * Alternative to {@link #origins()} that supports origins declared via * wildcard patterns. Please, see * @link CorsConfiguration#setAllowedOriginPatterns(List)} for details. *
By default this is not set. * @since 5.3 */ String[] originPatterns() default {}; /** * The list of request headers that are permitted in actual requests, * possibly {@code "*"} to allow all headers. *
Allowed headers are listed in the {@code Access-Control-Allow-Headers} * response header of preflight requests. *
A header name is not required to be listed if it is one of: * {@code Cache-Control}, {@code Content-Language}, {@code Expires}, * {@code Last-Modified}, or {@code Pragma} as per the CORS spec. *
By default all requested headers are allowed. */ String[] allowedHeaders() default {}; /** * The List of response headers that the user-agent will allow the client * to access on an actual response, other than "simple" headers, i.e. * {@code Cache-Control}, {@code Content-Language}, {@code Content-Type}, * {@code Expires}, {@code Last-Modified}, or {@code Pragma}, *
Exposed headers are listed in the {@code Access-Control-Expose-Headers} * response header of actual CORS requests. *
The special value {@code "*"} allows all headers to be exposed for * non-credentialed requests. *
By default no headers are listed as exposed. */ String[] exposedHeaders() default {}; /** * The list of supported HTTP request methods. *
By default the supported methods are the same as the ones to which a * controller method is mapped. */ RequestMethod[] methods() default {}; /** * Whether the browser should send credentials, such as cookies along with * cross domain requests, to the annotated endpoint. The configured value is * set on the {@code Access-Control-Allow-Credentials} response header of * preflight requests. *
NOTE: Be aware that this option establishes a high * level of trust with the configured domains and also increases the surface * attack of the web application by exposing sensitive user-specific * information such as cookies and CSRF tokens. *
By default this is not set in which case the * {@code Access-Control-Allow-Credentials} header is also not set and * credentials are therefore not allowed. */ String allowCredentials() default ""; /** * The maximum age (in seconds) of the cache duration for preflight responses. *
This property controls the value of the {@code Access-Control-Max-Age} * response header of preflight requests. *
Setting this to a reasonable value can reduce the number of preflight * request/response interactions required by the browser. * A negative value means undefined. *
By default this is set to {@code 1800} seconds (30 minutes). */ long maxAge() default -1;