跳到主要内容

跨源资源共享 (CORS)

QWen Max 中英对照 Spring’s CORS Support CORS

Spring Framework 提供了CORS的一流支持。CORS 必须在 Spring Security 之前处理,因为预检请求不包含任何 cookie(即 JSESSIONID)。如果请求不包含任何 cookie 并且 Spring Security 优先,则请求会判定用户未通过身份验证(因为请求中没有 cookie),并拒绝该请求。

确保首先处理CORS的最简单方法是使用CorsFilter。用户可以通过提供一个CorsConfigurationSourceCorsFilter与Spring Security集成。请注意,只有在存在UrlBasedCorsConfigurationSource实例时,Spring Security才会自动配置CORS。例如,以下代码将在Spring Security中集成CORS支持:

@Bean
UrlBasedCorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
    configuration.setAllowedMethods(Arrays.asList("GET","POST"));
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}
java

以下列表在XML中实现同样的功能:

<http>
    <cors configuration-source-ref="corsSource"/>
    ...
</http>
<b:bean id="corsSource" class="org.springframework.web.cors.UrlBasedCorsConfigurationSource">
    ...
</b:bean>
xml

如果你使用 Spring MVC 的 CORS 支持,你可以省略指定 CorsConfigurationSource,Spring Security 会使用提供给 Spring MVC 的 CORS 配置:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            // if Spring MVC is on classpath and no CorsConfigurationSource is provided,
            // Spring Security will use CORS configuration provided to Spring MVC
            .cors(withDefaults())
            ...
        return http.build();
    }
}
java

以下 XML 代码实现同样的功能:

<http>
    <!-- Default to Spring MVC's CORS configuration -->
    <cors />
    ...
</http>
xml

如果你有多个 CorsConfigurationSource bean,Spring Security 不会自动为你配置 CORS 支持,这是因为它无法决定使用哪一个。如果你想为每个 SecurityFilterChain 指定不同的 CorsConfigurationSource,你可以直接将其传递给 .cors() DSL。

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

    @Bean
    @Order(0)
    public SecurityFilterChain apiFilterChain(HttpSecurity http) throws Exception {
        http
            .securityMatcher("/api/**")
            .cors((cors) -> cors
                .configurationSource(apiConfigurationSource())
            )
            ...
        return http.build();
    }

    @Bean
    @Order(1)
    public SecurityFilterChain myOtherFilterChain(HttpSecurity http) throws Exception {
        http
            .cors((cors) -> cors
                .configurationSource(myWebsiteConfigurationSource())
            )
            ...
        return http.build();
    }

    UrlBasedCorsConfigurationSource apiConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("https://api.example.com"));
        configuration.setAllowedMethods(Arrays.asList("GET","POST"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }

    UrlBasedCorsConfigurationSource myWebsiteConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
        configuration.setAllowedMethods(Arrays.asList("GET","POST"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }

}
java