# SpringBoot開發中如何處理跨域請求CORS
## 一、什么是跨域請求(CORS)
### 1.1 跨域的定義
跨域(Cross-Origin Resource Sharing)是指瀏覽器出于安全考慮,限制腳本內發起的跨源HTTP請求。當協議(http/https)、域名或端口有任何不同時,就會被視為跨域請求。
### 1.2 同源策略限制
瀏覽器同源策略(Same-Origin Policy)會阻止:
- 讀取跨域資源
- 修改跨域DOM
- 發送跨域AJAX請求
### 1.3 CORS解決方案
CORS是一種W3C標準,允許服務器聲明哪些源站有權限訪問哪些資源。
## 二、SpringBoot中CORS的三種實現方式
### 2.1 使用@CrossOrigin注解
#### 2.1.1 方法級別配置
```java
@RestController
@RequestMapping("/api")
public class UserController {
@CrossOrigin(origins = "http://localhost:8080")
@GetMapping("/users")
public List<User> getUsers() {
// 業務邏輯
}
}
@CrossOrigin(origins = "http://localhost:8080", maxAge = 3600)
@RestController
@RequestMapping("/api")
public class ProductController {
// 所有方法都繼承跨域配置
}
| 參數 | 說明 | 示例 |
|---|---|---|
| origins | 允許的源列表 | “http://a.com,http://b.com” |
| methods | 允許的HTTP方法 | {RequestMethod.GET, RequestMethod.POST} |
| allowedHeaders | 允許的請求頭 | “Content-Type,Authorization” |
| exposedHeaders | 暴露的響應頭 | “X-Custom-Header” |
| maxAge | 預檢請求緩存時間(秒) | 1800 |
@Configuration
public class WebConfig implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/api/**")
.allowedOrigins("http://localhost:8080")
.allowedMethods("GET", "POST", "PUT")
.allowCredentials(true)
.maxAge(3600);
}
}
@Bean
public CorsFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("http://localhost:8080");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
source.registerCorsConfiguration("/**", config);
return new CorsFilter(source);
}
@RestController
public class ManualController {
@GetMapping("/manual")
public ResponseEntity<String> manualCors() {
HttpHeaders headers = new HttpHeaders();
headers.add("Access-Control-Allow-Origin", "*");
return new ResponseEntity<>("手動CORS", headers, HttpStatus.OK);
}
}
@Configuration
public class DynamicCorsConfig {
@Value("${cors.allowed-origins}")
private String[] allowedOrigins;
@Bean
public WebMvcConfigurer corsConfigurer() {
return new WebMvcConfigurer() {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins(allowedOrigins)
.allowedMethods("*");
}
};
}
}
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and()
.authorizeRequests()
// 其他安全配置...
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("http://trusted.com"));
configuration.setAllowedMethods(Arrays.asList("GET","POST"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
當請求滿足以下條件時會觸發OPTIONS預檢請求: 1. 使用PUT/DELETE等非簡單方法 2. 發送自定義請求頭 3. Content-Type非以下類型: - application/x-www-form-urlencoded - multipart/form-data - text/plain
現象:前端設置了withCredentials: true但請求失敗
解決:
// 服務端配置
.allowedOrigins("http://client.com") // 不能是*
.allowCredentials(true)
// 前端設置
axios.get(url, { withCredentials: true })
// 正確配置方式
registry.addMapping("/api/v1/**")
.addMapping("/api/v2/**");
配置生效優先級: 1. 方法級@CrossOrigin 2. 類級@CrossOrigin 3. 全局CORS配置
# application-prod.yml
cors:
allowed-origins: https://prod.com
allowed-methods: GET,POST
# application-dev.yml
cors:
allowed-origins: http://localhost:*
@Bean
public FilterRegistrationBean<CorsFilter> corsFilterRegistration() {
FilterRegistrationBean<CorsFilter> registration = new FilterRegistrationBean<>();
registration.setFilter(corsFilter());
registration.setOrder(Ordered.HIGHEST_PRECEDENCE);
registration.addUrlPatterns("/*");
registration.setName("corsFilter");
return registration;
}
