Spring Boot Security cors跨域解决

发表于 2018-03-30 更新于 2023-05-06 分类于 JavaEE Waline：

springboot security解决cors

添加配置文件

@Configuration
public class CorsConfig implements WebMvcConfigurer{
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**");
    }
}

在WebSecurityConfig extends WebSecurityConfigurerAdapter类里面添加

@Bean
CorsConfigurationSource corsConfigurationSource()
{
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
    configuration.setAllowedMethods(Arrays.asList("GET","POST"));
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.cors().and()....
}

tomcat配置cors（废弃）

官网

1
2
3

/data/tomcat/bin/catalina.sh version
>Using CATALINA_HOME:   /data/tomcat/
vim /data/tomcat/conf/web.xml

添加

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
<!-- 如果设置*，cors.support.credentials不能设置true不然会启动报错 -->
<!--设置成前端的访问地址例如 访问http://192.168.101.210:8006,这里就可以设置成该地址 -->      
    <param-value>*</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.headers</param-name>
    <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
  </init-param>
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
  </init-param>
  <init-param>
    <param-name>cors.support.credentials</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>cors.preflight.maxage</param-name>
    <param-value>10</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

err:

Access to XMLHttpRequest at 'http://192.168.101.210:8005/fun/login.do?loginName=admin&pwd=a123456&yzm=2giu&userType=1' from origin 'http://127.0.0.1:32768' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

其中from origin后面的地址设置到cors.allowed.origins,多个地址,分割

问题：这个经测试，发现option一直提示跨域

filter解决跨域

新建一个CorsFilter类

package com.xxx.controller.filter;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;


public class CorsFilter implements Filter {

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;

        String currentOrigin = request.getHeader("Origin");
        response.setHeader("Access-Control-Allow-Origin", currentOrigin);   //  允许所有域名的请求
        response.setHeader("Access-Control-Allow-Credentials", "true");
        response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS, HEAD");
        response.setHeader("Access-Control-Allow-Headers",
                "User-Agent,Origin,Cache-Control,Content-type,Date,Server,withCredentials,AccessToken");
        response.setHeader("Access-Control-Expose-Headers", "CUSTOMSESSIONID");
        response.setHeader("Access-Control-Request-Headers", "CUSTOMSESSIONID");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "x-auth-token,Origin,Access-Token,X-Requested-With,Content-Type,Accept");
        response.setHeader("Access-Control-Allow-Credentials", "true");
        if (request.getMethod().equals("OPTIONS")) {
            response.setStatus(200);
            return;
        }

        chain.doFilter(req, res);
    }

    @Override
    public void destroy() {

    }
}

然后在src\main\webapp\WEB-INF\web.xml里配置,配成第一个过滤器

<filter>
    <filter-name>corsFilter</filter-name>
    <filter-class>com.xxx.controller.innercs.filter.CorsFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>corsFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

这个和tomcat不能同时配置，会导致同时设置两个跨域地址

跨域测试

chrome console输入

var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://192.168.1.230:14083/app/geography/painting/',true);
xhr.setRequestHeader('Authorization', 'Bearer ...'); #带请求头
xhr.send();
xhr.send('body数据'); #带参数

在network查看结果

跨域分析

通过xhr请求的时候，response Header会返还Access-Control-Allow-Origin: *，通过界面和postman不会返回Access-Control-Allow-Origin: *，经分析测试，只有request Header中有该参数Origin: ，才会返回Access-Control-Allow-Origin: *。源代码位置如下：

public class DefaultCorsProcessor implements CorsProcessor {

	private static final Log logger = LogFactory.getLog(DefaultCorsProcessor.class);


	@Override
	@SuppressWarnings("resource")
	public boolean processRequest(@Nullable CorsConfiguration config, HttpServletRequest request,
			HttpServletResponse response) throws IOException {

		if (!CorsUtils.isCorsRequest(request)) {
			return true;
		}

		ServletServerHttpResponse serverResponse = new ServletServerHttpResponse(response);
		if (responseHasCors(serverResponse)) {
			logger.trace("Skip: response already contains \"Access-Control-Allow-Origin\"");
			return true;
		}
		....
------------------------------------------		
public abstract class CorsUtils {

	/**
	 * Returns {@code true} if the request is a valid CORS one.
	 */
	public static boolean isCorsRequest(HttpServletRequest request) {
		return (request.getHeader(HttpHeaders.ORIGIN) != null);
	}

参考

九种跨域方式实现原理