文章目录
- 背景
- 一、什么是跨域?为什么会出现跨域?
- 二、Java实现跨域模式
- 2.1、返回新的 CorsFilter(全球跨域)
- 2.2、重写 WebMvcConfigurer(全球跨域)
- 2.3、使用注解 (aa局部跨域)
- 2.4、响应头(局部跨域)手动设置
- 2.5、使用自定义filter实现跨域实现跨域实现
- 2.6、Spring Cloud Gateway 跨域配置
- 2.7、使用Nginx配置
- 2.8、继承 HandlerInterceptorAdapter
在开发过程中,我们经常遇到由前后端分离引起的跨域问题,导致无法获得返回结果。跨域就像分离前端和后端之间的差距。你在这里,她在那里,他们不能交流.
一、什么是跨域?为什么会出现跨域?定义
- 跨域(CORS)指不同域名之间的相互访问。跨域是指浏览器无法执行其他网站的脚本,这是由浏览器的同源策略和浏览器定义的JavaScript的安全限制策略造成的。当一个请求url的协议、域名和端口与当前页面url不同时,它是跨域的。
原因
在前后端分离模式下,前后端域名不一致,此时会出现跨域访问问题。在请求过程中,如果我们想回去,数据通常是post/get请求,所以跨域问题出现了。
跨域问题来源于JavaScript的同源策略,即只有JavaScript 协议+主机名+端口号(如果存在)相同,允许相互访问。也就是说,JavaScript只能访问和操作自己域下的资源,而不能访问和操作其他域下的资源。跨域问题是针对JS和ajax的。html本身没有跨域问题,如a标签、script标签甚至form标签(可以直接跨域发送数据并接收数据)
什么情况会跨域?
- 同一协议, 如http或https,
- 同一IP地址, 如127.0.0.1
- 同一端口, 如果8080以上三个条件中有一个条件不同,就会出现跨域问题。
package org.chuancey.config; import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import org.springframework.web.cors.CorsConfiguration;import org.springframework.web.cors.UrlBasedCorsConfigurationSource;import org.springframework.web.filter.CorsFilter; @Configurationpublic class GlobalCorsConfig { @Bean public CorsFilter corsFilter() { //1. 添加 CORS配置信息 CorsConfiguration config = new CorsConfiguration(); // 释放哪些原始域? config.addAllowedOrigin("*"); // 是否发送 Cookie config.setAllowCredentials(true); // 放行哪些请求方式? config.addAllowedMethod("*"); // 释放哪些原始请求头部信息? config.addAllowedHeader("*"); // 暴露哪些头部信息 config.addExposedHeader("*"); //2. 添加映射路径 UrlBasedCorsConfigurationSource corsConfigurationSource = new UrlBasedCorsConfigurationSource(); corsConfigurationSource.registerCorsConfiguration("/**",config); //3. 回到新的CorsFilter return new CorsFilter(corsConfigurationSource); } }package org.chuancey.config; import org.springframework.context.annotation.Configuration;import org.springframework.web.servlet.config.annotation.CorsRegistry;import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; @Configurationpublic class CorsConfig implements WebMvcConfigurer { @Override public void addCorsMappings(CorsRegistry registry) { registry.addMapping("/**") ///放行哪些原始域? .allowedOrigins("*") .allowedHeaders("*") // 是否发送Cookie .allowCredentials(true) .allowedMethods("GET", "POST", "OPTIONS", "DELETE", "PUT", "PATCH") .maxAge(3600); } @Override public void addResourceHandlers(ResourceHandlerRegistry registry) { registry.addResourceHandler("/**") .addResourceLocations("classpath:/static/"); registry.addResourceHandler("swagger-ui.html") .addResourceLocations("classpath:/META-INF/resources/"); registry.addResourceHandler("doc.html") .addResourceLocations("classpath:/META-INF/resources/"); registry.addResourceHandler("/webjars/**") .addResourceLocations("classpath:/META-INF/resources/webjars/"); }}注释用于控制器(类) @CrossOrigin,这意味着所有这类方法都允许跨域。
@RestController@CrossOrigin(origins = "*")public class VerificationController { }注释用于该方法 @CrossOrigin
@PostMapping("/check/phone") @CrossOrigin(origins = "*") public boolean checkPhoneNumber(@RequestBody @ApiParam VerificationPojo verification) throws BusinessException { return false; }使用 HttpServletResponse 对象添加响应头(Access-Control-Allow-Origin)在这里授权原始域 Origin的值也可以设置为 “*”,表示全部放行。
@RequestMapping("/home")public String home(HttpServletResponse response) { response.addHeader("Access-Allow-Control-Origin","*"); return "home";}import java.io.IOException;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletResponse;import org.springframework.stereotype.Component; @Slf4j@Configuration@WebFilter(filterName = "accessFilter", urlPatterns = "/*")public class MyCorsFilter implements Filter { public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletResponse response = (HttpServletResponse) res; response.setHeader("Access-Control-Allow-Origin", "*"); response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE"); response.setHeader("Access-Control-Max-Age", "3600"); response.setHeader("Access-Control-Allow-Headers", "x-requested-with,content-type"); chain.doFilter(req, res); } public void init(FilterConfig filterConfig) {log.info("Accesfilter过滤器初始化!");} public void destroy() {}}自定义Filter的xml生效方法
<!-- 跨域访问 START--><filter> <filter-name>CorsFilter</filter-name> <filter-class>org.chuancey.filter.MyCorsFilter</filter-class></filter><filter-mapping> <filter-name>CorsFilter</filter-name> <url-pattern>/*</url-pattern></filter-mapping><!-- 跨域访问 END -->spring: cloud: gateway: globalcors: cors-configurations: [/**]: # 允许跨域源(网站域名/ip),设置*为全部 # 允许将跨域请求中的head字段设置为所有 # 允许跨域method, 默认为GET和OPTIONS,设置*为全部 allow-credentials: true allowed-origins: - "http://xb.abc.com" - "http://sf.xx.com" allowed-headers: "*" allowed-methods: - OPTIONS - GET - POST - DELETE - PUT - PATCH max-age: 3600注意: 通过gateway 转发的其他项目不得配置跨域配置
有时候,即使配置了,也不会起作用。此时,如果提示是,您可以根据浏览器控制的错误输出查看问题 response 中 header 重复出现了 Access-Control-* 请求头可以进行以下操作
import java.util.ArrayList;import org.springframework.cloud.gateway.filter.GatewayFilterChain;import org.springframework.cloud.gateway.filter.GlobalFilter;import org.springframework.cloud.gateway.filter.NettyWriteResponseFilter;import org.springframework.core.Ordered;import org.springframework.http.HttpHeaders;import org.springframework.stereotype.Component;import org.springframework.web.server.ServerWebExchange;import reactor.core.publisher.Mono; @Component("corsResponseHeaderFilter")public class CorsResponseHeaderFilter implements GlobalFilter, Ordered { @Override public int getOrder() { // 指定该过滤器位于NetyWritersponsefilter之后 // 待处理响应体后,再处理响应头 return NettyWriteResponseFilter.WRITE_RESPONSE_FILTER_ORDER + 1; } @Override public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) { return chain.filter(exchange).then(Mono.defer(() -> { exchange.getResponse().getHeaders().entrySet().stream() .filter(kv -> (kv.getValue() != null && kv.getValue().size() > 1)) .filter(kv -> ( kv.getKey().equals(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN) || kv.getKey().equals(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS) || kv.getKey().equals(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS) || kv.getKey().equals(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS) || kv.getKey().equals(HttpHeaders.ACCESS_CONTROL_MAX_AGE))) .forEach(kv -> { kv.setValue(new ArrayList<String>() {{ add(kv.getValue().get(0)); }}); }); return chain.filter(exchange); })); }}location / { add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Headers X-Requested-With; add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS; if ($request_method = 'OPTIONS') { return 204; }}@Componentpublic class CrossInterceptor extends HandlerInterceptorAdapter { @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { response.setHeader("Access-Control-Allow-Origin", "*"); response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS"); response.setHeader("Access-Control-Max-Age", "3600"); response.setHeader("Access-Control-Allow-Headers", "*"); response.setHeader("Access-Control-Allow-Credentials", "true"); return true; }}www.mianshi.onlinewww.i9code.cn
本文由博客一文多发平台 OpenWrite 发布!
湘公网安备43019002002060