Springboot升级⾄2.4.0中出现的跨域问题分析及修改⽅案问题
Springboot升级⾄2.4.0中出现的跨域问题。
在Springboot 2.4.0版本之前使⽤的是2.3.5.RELEASE,对应的Spring版本为5.2.10.RELEASE。
升级⾄2.4.0后,对应的Spring版本为5.3.1。
Springboot2.3.5.RELEASE时,我们可以使⽤CorsFilter设置跨域。
分析
版本2.3.5.RELEASE 设置跨域
设置代码如下:
@Configuration
public class ResourcesConfig implements WebMvcConfigurer {
@Bean
public CorsFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
// 允许访问的客户端域名
config.addAllowedOrigin("*");
// 允许服务端访问的客户端请求头
config.addAllowedHeader("*");
// 允许访问的⽅法名,GET POST等
config.addAllowedMethod("*");
// 对接⼝配置跨域设置
return new CorsFilter(source);
}
}
是允许使⽤*设置允许的Origin。
这⾥我们看⼀下类CorsFilter的源码,5.3.x版本开始,针对CorsConfiguration新增了校验
5.3.x源码分析 CorsFilter
/**
* {@link javax.servlet.Filter} to handle CORS pre-flight requests and intercept
* CORS simple and actual requests with a {@link CorsProcessor}, and to update
* the response, e.g. with CORS response headers, based on the policy matched
* through the provided {@link CorsConfigurationSource}.
*
* <p>This is an alternative to configuring CORS in the Spring MVC Java config
* and the Spring MVC XML namespace. It is useful for applications depending
* only on spring-web (not on spring-webmvc) or for security constraints that
* require CORS checks to be performed at {@link javax.servlet.Filter} level.
*
* <p>This filter could be used in conjunction with {@link DelegatingFilterProxy}
* in order to help with its initialization.
*
* @author Sebastien Deleuze
* @since 4.2
* @see <a href="/TR/cors/" rel="external nofollow" >CORS W3C recommendation</a>
* @see UrlBasedCorsConfigurationSource
*/
public class CorsFilter extends OncePerRequestFilter {
private final CorsConfigurationSource configSource;
private CorsProcessor processor = new DefaultCorsProcessor();
/**
* Constructor accepting a {@link CorsConfigurationSource} used by the filter
* to find the {@link CorsConfiguration} to use for each incoming request.
* @see UrlBasedCorsConfigurationSource
*/
public CorsFilter(CorsConfigurationSource configSource) {
}
/**
* Configure a custom {@link CorsProcessor} to use to apply the matched
* {@link CorsConfiguration} for a request.
* <p>By default {@link DefaultCorsProcessor} is used.
*/
public void setCorsProcessor(CorsProcessor processor) {
this.processor = processor;
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
CorsConfiguration corsConfiguration = CorsConfiguration(request);
boolean isValid = this.processor.processRequest(corsConfiguration, request, response);
if (!isValid || CorsUtils.isPreFlightRequest(request)) {
return;
}
filterChain.doFilter(request, response);
}
}
类CorsFilter继承⾃OncePerRequestFilter,doFilterInternal⽅法会被执⾏。类中还创建了⼀个默认的处理类DefaultCorsProcessor,doFilterInternal调⽤this.processor.processRequest 往下
processRequest
@Override
@SuppressWarnings("resource")
public boolean processRequest(@Nullable CorsConfiguration config, HttpServletRequest request,
HttpServletResponse response) throws IOException {
Collection<String> varyHeaders = Headers(HttpHeaders.VARY);
if (!ains(HttpHeaders.ORIGIN)) {
response.addHeader(HttpHeaders.VARY, HttpHeaders.ORIGIN);
}
if (!ains(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD)) {
response.addHeader(HttpHeaders.VARY, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD);
}
if (!ains(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS)) {
response.addHeader(HttpHeaders.VARY, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS);
}
if (!CorsUtils.isCorsRequest(request)) {
return true;
}
if (Header(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN) != null) {
return true;
}
boolean preFlightRequest = CorsUtils.isPreFlightRequest(request);
if (config == null) {
if (preFlightRequest) {
rejectRequest(new ServletServerHttpResponse(response));
return false;
}
else {
return true;
}
}
return handleInternal(new ServletServerHttpRequest(request), new ServletServerHttpResponse(response), config, preFlightRequest); }
进⼊最后⼀⾏
handleInternal
/**
* Handle the given request.
*/
spring framework扩展点
protected boolean handleInternal(ServerHttpRequest request, ServerHttpResponse response,
CorsConfiguration config, boolean preFlightRequest) throws IOException {
String requestOrigin = Headers().getOrigin();
String allowOrigin = checkOrigin(config, requestOrigin);
(省略...)
response.flush();
return true;
}
查看⽅法checkOrigin
checkOrigin
@Nullable
protected String checkOrigin(CorsConfiguration config, @Nullable String requestOrigin) {
return config.checkOrigin(requestOrigin);
}
Go on
checkOrigin
/**
* Check the origin of the request against the configured allowed origins.
* @param requestOrigin the origin to check
* @return the origin to use for the response, or {@code null} which
* means the request origin is not allowed
*/
@Nullable
public String checkOrigin(@Nullable String requestOrigin) {
if (!StringUtils.hasText(requestOrigin)) {
return null;
}
if (!ObjectUtils.isEmpty(this.allowedOrigins)) {
if (ains(ALL)) {
validateAllowCredentials();
return ALL;
}
for (String allowedOrigin : this.allowedOrigins) {
if (requestOrigin.equalsIgnoreCase(allowedOrigin)) {
return requestOrigin;
}
}
}
if (!ObjectUtils.isEmpty(this.allowedOriginPatterns)) {
for (OriginPattern p : this.allowedOriginPatterns) {
if (p.getDeclaredPattern().equals(ALL) || p.getPattern().matcher(requestOrigin).matches()) {
return requestOrigin;
}
}
}
return null;
}
⽅法validateAllowCredentials
validateAllowCredentials
/**
* Validate that when {@link #setAllowCredentials allowCredentials} is true,
* {@link #setAllowedOrigins allowedOrigins} does not contain the special
* value {@code "*"} since in that case the "Access-Control-Allow-Origin"
* cannot be set to {@code "*"}.
* @throws IllegalArgumentException if the validation fails
* @since 5.3
*/
public void validateAllowCredentials() {
if (this.allowCredentials == Boolean.TRUE &&
this.allowedOrigins != null && ains(ALL)) {
throw new IllegalArgumentException(
"When allowCredentials is true, allowedOrigins cannot contain the special value \"*\"" +
"since that cannot be set on the \"Access-Control-Allow-Origin\" response header. " +
"To allow credentials to a set of origins, list them explicitly " +
"or consider using \"allowedOriginPatterns\" instead.");
}
看⼀下ALL是什么
/** Wildcard representing <em>all</em> origins, methods, or headers. */
public static final String ALL = "*";
所以如果使⽤2.4.0版本,还是设置*的话,访问API接⼝就会报错:
异常
java.lang.IllegalArgumentException: When allowCredentials is true, allowedOrigins cannot contain the special value "*"since that cannot be set on the "Access-Control-Allow-Origin" response header. To allow credentials to a set of origins, list them ex  at org.s.CorsConfiguration.validateAllowCredentials(CorsConfiguration.java:457)
at org.s.CorsConfiguration.checkOrigin(CorsConfiguration.java:561)
at org.s.DefaultCorsProcessor.checkOrigin(DefaultCorsProcessor.java:174)
at org.s.DefaultCorsProcessor.handleInternal(DefaultCorsProcessor.java:116)
at org.s.DefaultCorsProcessor.processRequest(DefaultCorsProcessor.java:95)
at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:87)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
at org.springframework.t.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110)
at org.springframework.t.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
at org.springframework.t.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:55)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:211)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
at org.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.StandardContextValve.invoke(StandardContextValve.java:97)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
at org.StandardHostValve.invoke(StandardHostValve.java:143)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.StandardEngineValve.invoke(StandardEngineValve.java:78)
at org.tor.CoyoteAdapter.service(CoyoteAdapter.java:343)
at http11.Http11Processor.service(Http11Processor.java:374)
at AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at at.util.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
at at.util.SocketProcessorBase.run(SocketProcessorBase.java:49)
at urrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at urrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at at.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
修改⽅式
⽅式1
不使⽤CorsFilter,直接重写⽅法addCorsMappings:
@Configuration
public class ResourcesConfig implements WebMvcConfigurer {
/**
* 跨域配置
*/
@Override
public void addCorsMappings(CorsRegistry registry) {
//对那些请求路径进⾏跨域处理
registry.addMapping("/**")
// 允许的请求头,默认允许所有的请求头
.
allowedHeaders("*")
// 允许的⽅法,默认允许GET、POST、HEAD
.allowedMethods("*")
// 探测请求有效时间,单位秒
.maxAge(1800)
// ⽀持的域
.allowedOrigins("*");
}
}
⽅式2
继续使⽤CorsFilter,使⽤官⽅推荐的allowedOriginPatterns:
(注:这⾥只是举个栗⼦…Origin的处理)
# 项⽬相关配置
project:
uiPort: 8082
basePath: localhost:${project.uiPort}
@Configuration
public class ResourcesConfig implements WebMvcConfigurer {
@Value("${project.basePath}")
private String basePath;
@Bean
public CorsFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
// 允许访问的客户端域名
List<String> allowedOriginPatterns = new ArrayList<>();
allowedOriginPatterns.add(basePath);
config.setAllowedOriginPatterns(allowedOriginPatterns);
//    config.addAllowedOrigin(serverPort);
// 允许服务端访问的客户端请求头
config.addAllowedHeader("*");
/
/ 允许访问的⽅法名,GET POST等
config.addAllowedMethod("*");
// 对接⼝配置跨域设置
return new CorsFilter(source);
}
}
到此这篇关于Springboot升级⾄2.4.0中出现的跨域问题分析及修改⽅案的⽂章就介绍到这了,更多相关Springboot2.4.0跨域内容请搜索以前的⽂章或继续浏览下⾯的相关⽂章希望⼤家以后多多⽀持!

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。