spring 跨域CORS Filter

方案一

spring中可以采用的跨域配置方式如下:

RequestMapping

在一般性的配置中,在controller前添加@CrossOrigin即可使用spring的默认配置,允许跨域

该注解也可以配置一些设定,适合针对个别的controller

复制代码
@CrossOrigin

方案二

webconfig的方式配置全局跨域

复制代码
@Configuration
public class JxWebMvcConfiguration extends WebMvcConfigurerAdapter {

? /**
? * Cross Origin Resource Support(CORS) for the Spring MVC.
? * automatically.
? * https://my.oschina.net/wangnian/blog/689020
? * http://spring.io/guides/gs/rest-service-cors/
? */
? /* @Override
? public void addCorsMappings(CorsRegistry registry) {
? registry.addMapping("*")
? .allowedOrigins("*").exposedHeaders("x-total-count","x-auth-token")
? .allowedMethods("GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "TRACE");
? }*/
}

这种方式的缺陷是,filter的顺序是固定的,在引入第三方组件的时候可能会因为filter滞后,导致出错

方案三

定制Filter

复制代码
@Bean
public FilterRegistrationBean corsFilter() {
? UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
? CorsConfiguration config = new CorsConfiguration();
? config.setAllowCredentials(true);
? config.addAllowedOrigin("*");
? config.addAllowedHeader("*");
? config.addAllowedMethod("*");
? source.registerCorsConfiguration("/**", config);
? FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
? bean.setOrder(0);
? return bean;
}

方案3缺陷

在3中,使用zuul的时候,的确解决了跨域问题,但是spring security的filter还是在其前边,引起登录的时候不能正常捕获401错误

复制代码
@Bean
? ? public Filter corsFilter() {
? ? ? ? UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
? ? ? ? CorsConfiguration config = new CorsConfiguration();
? ? ? ? config.setAllowCredentials(true);
? ? ? ? config.addAllowedOrigin("*");
? ? ? ? config.addAllowedHeader("*");
? ? ? ? config.addAllowedMethod("*");
? ? ? ? config.addExposedHeader("x-auth-token");
? ? ? ? config.addExposedHeader("x-total-count");
? ? ? ? source.registerCorsConfiguration("/**", config);
? ? ? ? return new CorsFilter(source);
? ? }

? ? @Override
? ? protected void configure(HttpSecurity httpSecurity) throws Exception { ? ? ??
? ? ? ? httpSecurity.addFilterBefore(corsFilter(), ChannelProcessingFilter.class);
? ? ? }

spring security 标准Filter及其在filter chain的顺序

Alias

Filter Class

Namespace Element or Attribute

CHANNEL_FILTER

ChannelProcessingFilter

http/intercept-url@requires-channel

SECURITY_CONTEXT_FILTER

SecurityContextPersistenceFilter

http

CONCURRENT_SESSION_FILTER

ConcurrentSessionFilter

session-management/concurrency-control

HEADERS_FILTER

HeaderWriterFilter

http/headers

CSRF_FILTER

CsrfFilter

http/csrf

LOGOUT_FILTER

LogoutFilter

http/logout

X509_FILTER

X509AuthenticationFilter

http/x509

PRE_AUTH_FILTER

AstractPreAuthenticatedProcessingFilterSubclasses

N/A

CAS_FILTER

CasAuthenticationFilter

N/A

FORM_LOGIN_FILTER

UsernamePasswordAuthenticationFilter

http/form-login

BASIC_AUTH_FILTER

BasicAuthenticationFilter

http/http-basic

SERVLET_API_SUPPORT_FILTER

SecurityContextHolderAwareRequestFilter

http/@servlet-api-provision

JAAS_API_SUPPORT_FILTER

JaasApiIntegrationFilter

http/@jaas-api-provision

REMEMBER_ME_FILTER

RememberMeAuthenticationFilter

http/remember-me

ANONYMOUS_FILTER

AnonymousAuthenticationFilter

http/anonymous

SESSION_MANAGEMENT_FILTER

SessionManagementFilter

session-management

EXCEPTION_TRANSLATION_FILTER

ExceptionTranslationFilter

http

FILTER_SECURITY_INTERCEPTOR

FilterSecurityInterceptor

http

SWITCH_USER_FILTER

SwitchUserFilter

N/A

参考(4.3.6)

http://docs.spring.io/spring-security/site/docs/3.2.8.RELEASE/reference/htmlsingle/#ns-web-advanced

相关推荐
葫芦和十三7 小时前
图解 MongoDB 23|两地三中心:跨可用区部署怎么扛机房故障
后端·mongodb·agent
勇哥java实战分享9 小时前
PaddleOCR 太慢?我换成 RapidOCR 后,速度直接起飞
后端
苏三说技术13 小时前
LangChain4j 和 LangGraph4j,哪个更好?
后端
ServBay14 小时前
7 个AI开发中真正用得上的 MCP Server,配合Claude Code食用效果更佳
后端·claude·mcp
妙码生花14 小时前
从 PHP 到 AI + Golang,程序员自救转型手记(十五):优化细节、网络请求封装
前端·后端·ai编程
用户67570498850215 小时前
Go 语言里判断字符串为空,90% 的人都写错了!
后端·go
Flittly15 小时前
【AgentScope Java新手村系列】(16)从RAG到多路检索
java·spring boot·spring
用户67570498850215 小时前
Go 进阶必修:90% 的人都没用对的“表驱动法”
后端·go
小兔崽子去哪了15 小时前
Java 生成二维码解决方案
java·后端