Springboot 解决跨域的四种姿势

Posted 2022-09-24

简介

跨域我就不多说了，我们今天开门见山直接解决跨域的几种姿势，那就上姿势

姿势

姿势一

import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

@Configuration
public class CorsConfig implements WebMvcConfigurer 

    @Override
    public void addCorsMappings(CorsRegistry registry) 
        registry.addMapping("/**")
                .allowedOrigins("*")
                .allowedMethods("GET", "HEAD", "POST", "PUT", "DELETE", "OPTIONS")
                .allowCredentials(true)
                .maxAge(3600)
                .allowedHeaders("*");
    

姿势二

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;

/**
 * 解决跨域
 */
@Configuration
public class CorsFilterConfig 


    /**
     * 开启跨域访问拦截器
     *
     * @date 2021/4/29 9:50
     */
    @Bean
    public CorsFilter corsFilter() 
        //创建CorsConfiguration对象后添加配置
        CorsConfiguration corsConfiguration = new CorsConfiguration();
        //设置放行哪些原始域
        corsConfiguration.addAllowedOrigin("*");
        //放行哪些原始请求头部信息
        corsConfiguration.addAllowedHeader("*");
        //放行哪些请求方式
        corsConfiguration.addAllowedMethod("*");

        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        //2. 添加映射路径
        source.registerCorsConfiguration("/**", corsConfiguration);
        return new CorsFilter(source);
    

姿势三

@Slf4j
@Component
@WebFilter(urlPatterns =  "/*" , filterName = "headerFilter")
public class HeaderFilter implements Filter 
    @Override
    public void doFilter(ServletRequest request, ServletResponse resp, FilterChain chain) throws IOException, ServletException 
        HttpServletResponse response = (HttpServletResponse) resp;
        //解决跨域访问报错
        response.setHeader("Access-Control-Allow-Origin", "*");
        response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE");
        //设置过期时间
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, client_id, uuid, Authorization");
        // 支持HTTP 1.1.
        response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
        // 支持HTTP 1.0. response.setHeader("Expires", "0");
        response.setHeader("Pragma", "no-cache");
        // 编码
        response.setCharacterEncoding("UTF-8");
        chain.doFilter(request, resp);
    

    @Override
    public void init(FilterConfig filterConfig) 
        log.info("跨域过滤器启动");
    

    @Override
    public void destroy() 
        log.info("跨域过滤器销毁");
    

姿势四

可以使用在单个方法上也可以使用在类上

Target(ElementType.TYPE, ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface CrossOrigin 

	/** @deprecated as of Spring 5.0, in favor of @link CorsConfiguration#applyPermitDefaultValues */
	@Deprecated
	String[] DEFAULT_ORIGINS = "*";

	/** @deprecated as of Spring 5.0, in favor of @link CorsConfiguration#applyPermitDefaultValues */
	@Deprecated
	String[] DEFAULT_ALLOWED_HEADERS = "*";

	/** @deprecated as of Spring 5.0, in favor of @link CorsConfiguration#applyPermitDefaultValues */
	@Deprecated
	boolean DEFAULT_ALLOW_CREDENTIALS = false;

	/** @deprecated as of Spring 5.0, in favor of @link CorsConfiguration#applyPermitDefaultValues */
	@Deprecated
	long DEFAULT_MAX_AGE = 1800;


	/**
	 * Alias for @link #origins.
	 */
	@AliasFor("origins")
	String[] value() default ;

	/**
	 * A list of origins for which cross-origin requests are allowed. Please,
	 * see @link CorsConfiguration#setAllowedOrigins(List) for details.
	 * <p>By default all origins are allowed unless @code originPatterns is
	 * also set in which case @code originPatterns is used instead.
	 */
	@AliasFor("value")
	String[] origins() default ;

	/**
	 * Alternative to @link #origins() that supports origins declared via
	 * wildcard patterns. Please, see
	 * @link CorsConfiguration#setAllowedOriginPatterns(List) for details.
	 * <p>By default this is not set.
	 * @since 5.3
	 */
	String[] originPatterns() default ;

	/**
	 * The list of request headers that are permitted in actual requests,
	 * possibly @code "*"  to allow all headers.
	 * <p>Allowed headers are listed in the @code Access-Control-Allow-Headers
	 * response header of preflight requests.
	 * <p>A header name is not required to be listed if it is one of:
	 * @code Cache-Control, @code Content-Language, @code Expires,
	 * @code Last-Modified, or @code Pragma as per the CORS spec.
	 * <p>By default all requested headers are allowed.
	 */
	String[] allowedHeaders() default ;

	/**
	 * The List of response headers that the user-agent will allow the client
	 * to access on an actual response, other than "simple" headers, i.e.
	 * @code Cache-Control, @code Content-Language, @code Content-Type,
	 * @code Expires, @code Last-Modified, or @code Pragma,
	 * <p>Exposed headers are listed in the @code Access-Control-Expose-Headers
	 * response header of actual CORS requests.
	 * <p>The special value @code "*" allows all headers to be exposed for
	 * non-credentialed requests.
	 * <p>By default no headers are listed as exposed.
	 */
	String[] exposedHeaders() default ;

	/**
	 * The list of supported HTTP request methods.
	 * <p>By default the supported methods are the same as the ones to which a
	 * controller method is mapped.
	 */
	RequestMethod[] methods() default ;

	/**
	 * Whether the browser should send credentials, such as cookies along with
	 * cross domain requests, to the annotated endpoint. The configured value is
	 * set on the @code Access-Control-Allow-Credentials response header of
	 * preflight requests.
	 * <p><strong>NOTE:</strong> Be aware that this option establishes a high
	 * level of trust with the configured domains and also increases the surface
	 * attack of the web application by exposing sensitive user-specific
	 * information such as cookies and CSRF tokens.
	 * <p>By default this is not set in which case the
	 * @code Access-Control-Allow-Credentials header is also not set and
	 * credentials are therefore not allowed.
	 */
	String allowCredentials() default "";

	/**
	 * The maximum age (in seconds) of the cache duration for preflight responses.
	 * <p>This property controls the value of the @code Access-Control-Max-Age
	 * response header of preflight requests.
	 * <p>Setting this to a reasonable value can reduce the number of preflight
	 * request/response interactions required by the browser.
	 * A negative value means <em>undefined</em>.
	 * <p>By default this is set to @code 1800 seconds (30 minutes).
	 */
	long maxAge() default -1;

以上四种姿势都学会了么？学会了三连哦

可以关注公众号，学习更多的姿势