原因略
解決:提供一個配置類,寫個過濾器,設置白名單、響應頭訪問方式等等信息。
import org.apache.commons.lang3.ObjectUtils;
import org.apache.commons.lang3.StringUtils;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.stereotype.Component;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsProcessor;
import org.springframework.web.cors.CorsUtils;
import org.springframework.web.cors.DefaultCorsProcessor;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.beans.factory.annotation.Value;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
@Configuration
public class WebAppConfig {
@Bean
public WebMvcConfigurer corsConfigurer() {
return new WebMvcConfigurer() {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**");
// .allowedHeaders("*")
// .allowedMethods("*")
// .allowedOrigins("*")
// .allowCredentials(true);
}
};
}
@Component
@WebFilter(urlPatterns = "/wscf/*", filterName = "authFilter")
public static class WebSecurityCorsFilter implements Filter {
@Value("${cors.origin.whitelist}")
private String originWhiteList;
private CorsProcessor processor = new DefaultCorsProcessor();
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletResponse res = (HttpServletResponse) response;
HttpServletRequest req = (HttpServletRequest) request;
String originHeader = req.getHeader("Origin");
String allowHeaders = "X-Requested-With, Origin, Content-Type, Accept, Authorization";
String allowMethods = "POST, GET, OPTIONS, DELETE, PUT, PATCH";
String allowCredentials = "true";
CorsConfiguration corsConfiguration = new CorsConfiguration();
if (CorsUtils.isCorsRequest(req)) {
if (!HttpMethod.OPTIONS.matches(req.getMethod())){
res.setHeader("Access-Control-Allow-Methods", allowMethods);
}
String origin = req.getHeader(HttpHeaders.ORIGIN);
if (ObjectUtils.isEmpty(originWhiteList) || "*".equals(originWhiteList)) {
corsConfiguration.addAllowedOrigin("*");
} else if(StringUtils.isNotEmpty(origin) && validateDomain(origin)) {
corsConfiguration.addAllowedOrigin(origin);
}
corsConfiguration.setAllowedHeaders(Arrays.asList(allowHeaders.replace(" ", "").split(",")));
corsConfiguration.setAllowCredentials(Boolean.valueOf(allowCredentials));
corsConfiguration.setAllowedMethods(Arrays.asList(allowMethods.replace(" ", "").split(",")));
boolean isValid = this.processor.processRequest(corsConfiguration, req, res);
if (!isValid) {
return;
}
}
chain.doFilter(request, response);
}
private boolean validateDomain(String domain) {
if (ObjectUtils.isNotEmpty(originWhiteList)) {
List<String> whiteOriginList = Arrays.asList(originWhiteList.split(";"));
if (!ObjectUtils.isEmpty(whiteOriginList)) {
for (String tmp : whiteOriginList) {
if (domain.endsWith(tmp)) {
return true;
}
}
}
}
return false;
}
@Override
public void destroy() {
}
}
}
2.在配置文件加上白名單信息:
如:application-local.properties
cors.origin.whitelist=${CORS_ORIGIN_WHITELIST:.baidu.com;.hao123.com;localhost:3000;localhost:8080;localhost:8081}