方案一
spring中可以采用的跨域配置方式如下:
RequestMapping
在一般性的配置中,在controller前添加@CrossOrigin即可使用spring的默认配置,允许跨域
该注解也可以配置一些设定,适合针对个别的controller
@CrossOrigin方案二
webconfig的方式配置全局跨域
@Configuration
public class JxWebMvcConfiguration extends WebMvcConfigurerAdapter {
? /**
? * Cross Origin Resource Support(CORS) for the Spring MVC.
? * automatically.
? * https://my.oschina.net/wangnian/blog/689020
? * http://spring.io/guides/gs/rest-service-cors/
? */
? /* @Override
? public void addCorsMappings(CorsRegistry registry) {
? registry.addMapping("*")
? .allowedOrigins("*").exposedHeaders("x-total-count","x-auth-token")
? .allowedMethods("GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "TRACE");
? }*/
}这种方式的缺陷是,filter的顺序是固定的,在引入第三方组件的时候可能会因为filter滞后,导致出错
方案三
定制Filter
@Bean
public FilterRegistrationBean corsFilter() {
? UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
? CorsConfiguration config = new CorsConfiguration();
? config.setAllowCredentials(true);
? config.addAllowedOrigin("*");
? config.addAllowedHeader("*");
? config.addAllowedMethod("*");
? source.registerCorsConfiguration("/**", config);
? FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
? bean.setOrder(0);
? return bean;
}方案3缺陷
在3中,使用zuul的时候,的确解决了跨域问题,但是spring security的filter还是在其前边,引起登录的时候不能正常捕获401错误
@Bean
? ? public Filter corsFilter() {
? ? ? ? UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
? ? ? ? CorsConfiguration config = new CorsConfiguration();
? ? ? ? config.setAllowCredentials(true);
? ? ? ? config.addAllowedOrigin("*");
? ? ? ? config.addAllowedHeader("*");
? ? ? ? config.addAllowedMethod("*");
? ? ? ? config.addExposedHeader("x-auth-token");
? ? ? ? config.addExposedHeader("x-total-count");
? ? ? ? source.registerCorsConfiguration("/**", config);
? ? ? ? return new CorsFilter(source);
? ? }
? ? @Override
? ? protected void configure(HttpSecurity httpSecurity) throws Exception { ? ? ??
? ? ? ? httpSecurity.addFilterBefore(corsFilter(), ChannelProcessingFilter.class);
? ? ? }spring security 标准Filter及其在filter chain的顺序
Alias
Filter Class
Namespace Element or Attribute
CHANNEL_FILTER
ChannelProcessingFilter
http/intercept-url@requires-channel
SECURITY_CONTEXT_FILTER
SecurityContextPersistenceFilter
http
CONCURRENT_SESSION_FILTER
ConcurrentSessionFilter
session-management/concurrency-control
HEADERS_FILTER
HeaderWriterFilter
http/headers
CSRF_FILTER
CsrfFilter
http/csrf
LOGOUT_FILTER
LogoutFilter
http/logout
X509_FILTER
X509AuthenticationFilter
http/x509
PRE_AUTH_FILTER
AstractPreAuthenticatedProcessingFilterSubclasses
N/A
CAS_FILTER
CasAuthenticationFilter
N/A
FORM_LOGIN_FILTER
UsernamePasswordAuthenticationFilter
http/form-login
BASIC_AUTH_FILTER
BasicAuthenticationFilter
http/http-basic
SERVLET_API_SUPPORT_FILTER
SecurityContextHolderAwareRequestFilter
http/@servlet-api-provision
JAAS_API_SUPPORT_FILTER
JaasApiIntegrationFilter
http/@jaas-api-provision
REMEMBER_ME_FILTER
RememberMeAuthenticationFilter
http/remember-me
ANONYMOUS_FILTER
AnonymousAuthenticationFilter
http/anonymous
SESSION_MANAGEMENT_FILTER
SessionManagementFilter
session-management
EXCEPTION_TRANSLATION_FILTER
ExceptionTranslationFilter
http
FILTER_SECURITY_INTERCEPTOR
FilterSecurityInterceptor
http
SWITCH_USER_FILTER
SwitchUserFilter
N/A
参考(4.3.6)
http://docs.spring.io/spring-security/site/docs/3.2.8.RELEASE/reference/htmlsingle/#ns-web-advanced