項目情況:
最近做的pmdb項目是前後端分離的, 由於測試的時候是前端與後端聯調,所以出現了跨域請求的問題。瀏覽器默認會向後端發送一個Options方式的請求,根據後端的響應來判斷後端支持哪些請求方式,支持纔會真正的發送請求。
CORS介紹:
CORS(Cross-Origin Resource Sharing 跨源資源共享),當一個請求url的協議、域名、端口三者之間任意一與當前頁面地址不同即爲跨域。
在日常的項目開發時會不可避免的需要進行跨域操作,而在實際進行跨域請求時,經常會遇到類似 No 'Access-Control-Allow-Origin' header is present on the requested resource.這樣的報錯。
這樣的錯誤,一般是由於CORS跨域驗證機制設置不正確導致的。
解決方案:
註釋:本項目使用的是SprintBoot+Security+JWT+Swagger
第一步:新建CorsFilter,在過濾器中設置相關請求頭
package com.handlecar.basf_pmdb_service.filter;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class CorsFilter extends OncePerRequestFilter {
//public class CorsFilter implements Filter {
// static final String ORIGIN = "Origin";
protected void doFilterInternal(
HttpServletRequest request, HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
// String origin = request.getHeader(ORIGIN);
response.setHeader("Access-Control-Allow-Origin", "*");//* or origin as u prefer
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "PUT, POST, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
// response.setHeader("Access-Control-Allow-Headers", "content-type, authorization");
response.setHeader("Access-Control-Allow-Headers", "Origin, No-Cache, X-Requested-With, If-Modified-Since, Pragma, Last-Modified, Cache-Control, Expires, Content-Type, X-E4M-With, Authorization");
response.setHeader("XDomainRequestAllowed","1");
//使前端能夠獲取到
response.setHeader("Access-Control-Expose-Headers","download-status,download-filename,download-message");
if (request.getMethod().equals("OPTIONS"))
// response.setStatus(HttpServletResponse.SC_OK);
response.setStatus(HttpServletResponse.SC_NO_CONTENT);
else
filterChain.doFilter(request, response);
}
// @Override
// public void doFilter(ServletRequest req, ServletResponse res,
// FilterChain chain) throws IOException, ServletException {
//
// HttpServletResponse response = (HttpServletResponse) res;
// //測試環境用【*】匹配,上生產環境後需要切換爲實際的前端請求地址
// response.setHeader("Access-Control-Allow-Origin", "*");
// response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
//
// response.setHeader("Access-Control-Max-Age", "0");
//
// response.setHeader("Access-Control-Allow-Headers", "Origin, No-Cache, X-Requested-With, If-Modified-Since, Pragma, Last-Modified, Cache-Control, Expires, Content-Type, X-E4M-With, auth");
//
// response.setHeader("Access-Control-Allow-Credentials", "true");
//
// response.setHeader("XDomainRequestAllowed","1");
// chain.doFilter(req, res);
// }
//
// @Override
// public void destroy() {
// }
//
// @Override
// public void init(FilterConfig arg0) throws ServletException {
// }
}
註釋:這裏的Access-Control-Expose-Headers的請求頭是爲了使前端能夠獲得到後端在response中自定義的header,不設置的話,前端只能看到幾個默認顯示的header。我這裏是在使用response導出Excel的時候將文件名和下載狀態信息以自定義請求頭的形式放在了response的header裏。
第二步:在Security的配置文件中初始化CorsFilter的Bean
@Bean
public CorsFilter corsFilter() throws Exception {
return new CorsFilter();
}
第三步:在Security的配置文件中添加Filter配置,和映射配置
.antMatchers(HttpMethod.OPTIONS,"/**").permitAll()
// 除上面外的所有請求全部需要鑑權認證。 .and() 相當於標示一個標籤的結束,之前相當於都是一個標籤項下的內容
.anyRequest().authenticated().and()
.addFilterBefore(corsFilter(), UsernamePasswordAuthenticationFilter.class)
附:該配置文件
package com.handlecar.basf_pmdb_service.conf;
import com.handlecar.basf_pmdb_service.filter.CorsFilter;
import com.handlecar.basf_pmdb_service.filter.JwtAuthenticationTokenFilter;
import com.handlecar.basf_pmdb_service.security.JwtTokenUtil;
import com.handlecar.basf_pmdb_service.security.CustomAuthenticationProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
//import com.allcom.security.JwtTokenUtil;
@Configuration
//@EnableWebSecurity is used to enable Spring Security’s web security support and provide the Spring MVC integration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private final CustomAuthenticationProvider customAuthenticationProvider;
@Autowired
public WebSecurityConfig(CustomAuthenticationProvider customAuthenticationProvider) {
this.customAuthenticationProvider = customAuthenticationProvider;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) {
auth.authenticationProvider(customAuthenticationProvider);
}
@Bean
public JwtTokenUtil jwtTokenUtil(){
return new JwtTokenUtil();
}
@Bean
public CorsFilter corsFilter() throws Exception {
return new CorsFilter();
}
@Bean
public JwtAuthenticationTokenFilter authenticationTokenFilterBean() {
return new JwtAuthenticationTokenFilter();
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
// 由於使用的是JWT,我們這裏不需要csrf,不用擔心csrf攻擊
.csrf().disable()
// 基於token,所以不需要session
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests()
//.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
// 允許對於網站靜態資源的無授權訪問
.antMatchers(
HttpMethod.GET,
"/",
"/*.html",
"/favicon.ico",
"/**/*.html",
"/**/*.css",
"/**/*.js",
"/webjars/springfox-swagger-ui/images/**","/swagger-resources/configuration/*","/swagger-resources",//swagger請求
"/v2/api-docs"
).permitAll()
// 對於獲取token的rest api要允許匿名訪問
.antMatchers("/pmdbservice/auth/**","/pmdbservice/keywords/export3").permitAll()
.antMatchers(HttpMethod.OPTIONS,"/**").permitAll()
// 除上面外的所有請求全部需要鑑權認證。 .and() 相當於標示一個標籤的結束,之前相當於都是一個標籤項下的內容
.anyRequest().authenticated().and()
.addFilterBefore(corsFilter(), UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
// 禁用緩存
httpSecurity.headers().cacheControl();
}
}