你可以通过内置的 CorsFilter 应用 CORS 支持。

:::tips 如果你试图在 Spring Security 中使用 CorsFilter,请记住,Spring Security 对 CORS 有内置支持。 :::

要配置过滤器,请向其构造函数传递一个 CorsConfigurationSource,如下例所示:

  1. CorsConfiguration config = new CorsConfiguration();
  3. // Possibly...
  4. // config.applyPermitDefaultValues()
  6. config.setAllowCredentials(true);
  7. config.addAllowedOrigin("https://domain1.com");
  8. config.addAllowedHeader("*");
  9. config.addAllowedMethod("*");
  11. UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
  12. source.registerCorsConfiguration("/**", config);
  14. CorsFilter filter = new CorsFilter(source);

如何注册过滤器

这个笔者貌似暂时没有看到官方文档中有过,下面是在 ServletContext 上注册的 

  1. package cn.mrcode.study;
  3. import org.springframework.web.WebApplicationInitializer;
  4. import org.springframework.web.context.ContextLoaderListener;
  5. import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
  6. import org.springframework.web.cors.CorsConfiguration;
  7. import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
  8. import org.springframework.web.filter.CorsFilter;
  9. import org.springframework.web.servlet.DispatcherServlet;
  11. import java.util.EnumSet;
  13. import javax.servlet.DispatcherType;
  14. import javax.servlet.ServletContext;
  15. import javax.servlet.ServletRegistration;
  17. /**
  18.  * @author mrcode
  19.  */
  20. public class MyWebApplicationInitializer implements WebApplicationInitializer {
  22.     @Override
  23.     public void onStartup(ServletContext servletContext) {
  25.         // 加载 Spring web application configuration
  26.         AnnotationConfigWebApplicationContext context = new AnnotationConfigWebApplicationContext();
  27.         context.register(AppConfig.class);
  28.         // Manage the lifecycle of the root application context
  29.         servletContext.addListener(new ContextLoaderListener(context));
  31.         // 创建和注册 DispatcherServlet
  32.         DispatcherServlet servlet = new DispatcherServlet(context);
  33.         ServletRegistration.Dynamic registration = servletContext.addServlet("app", servlet);
  34.         registration.setLoadOnStartup(1);
  35.         registration.addMapping("/");
  36.         registration.setAsyncSupported(true);
  39.         CorsConfiguration config = new CorsConfiguration();
  41.         // Possibly...
  42.         // config.applyPermitDefaultValues()
  44.         config.setAllowCredentials(true);
  45.         config.addAllowedOrigin("*");
  46.         config.addAllowedHeader("*");
  47.         config.addAllowedMethod("*");
  49.         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
  50.         source.registerCorsConfiguration("/**", config);
  51.         CorsFilter filter = new CorsFilter(source);
  53.         servletContext.addFilter("CorsFilter",filter)
  54.                 // 这里配置的是,过滤器在哪些类型上进行拦截,这里选择 request ,并对 app 这个 servlet 进行拦截
  55.                 // 因为所有的请求都是 DispatcherServlet 接管的,所以只要拦截它就可以实现全局配置了
  56.                 .addMappingForServletNames(EnumSet.of(DispatcherType.REQUEST),true,"app");
  57.     }
  58. }