网上的资料乱七八糟,大多是老版本的用法,或者是新版本的添加登录 filter 之后会出现问题,最后结合了多篇文章得出该办法。
版本
springboot: 2.0.4.RELEASE
法一
addCorsMappings 允许跨域,简单访问没问题,如果用户没登录被 filter 拦截的话,返回信息得不到,显示跨域失败,原因是 filter 直接拦截的执行在前,允许跨域执行在后,再添加一个 FilterRegistrationBean 后解决问题,注意 FilterRegistrationBean 需要设置成在最前面执行。
跨域的设置全部都在 CorsConfig 类里
跨域配置
import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.boot.web.servlet.FilterRegistrationBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.UrlBasedCorsConfigurationSource; import org.springframework.web.filter.CorsFilter; import org.springframework.web.servlet.config.annotation.CorsRegistry; import org.springframework.web.servlet.config.annotation.EnableWebMvc; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; @Configuration @EnableWebMvc public class CorsConfig implements WebMvcConfigurer { private Logger logger = LoggerFactory.getLogger(getClass()); @Override public void addCorsMappings(CorsRegistry registry) { //设置允许跨域的路径 registry.addMapping("/**") //设置允许跨域请求的域名 .allowedOrigins("*") //是否允许证书 不再默认开启 .allowCredentials(true) //设置允许的方法 .allowedMethods("*") //跨域允许时间 .maxAge(3600); } @Bean public FilterRegistrationBean corsFilter() { UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); CorsConfiguration config = new CorsConfiguration(); config.setAllowCredentials(true); config.addAllowedOrigin("*"); config.addAllowedHeader("*"); config.addAllowedMethod("*"); source.registerCorsConfiguration("/**", config); FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source)); bean.setOrder(0); return bean; } }
登录 filter
package com.example.crosserver.filter;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.web.servlet.ServletComponentScan;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@Component //将LoginFilter交给容器来处理。也就是让LoginFilter起作用
//这个使用来扫描@WebFilter 的让@WebFilter起作用。当然对于servlet线管注解也是可以的。
// 这个@ServletComponentScan最好卸载Apllication这个上面,通用配置。我这里因为只有一个Filter所以没有写在Application上面。
@ServletComponentScan
//针对于什么链接做过滤,filter的名称是为什么。
@WebFilter(urlPatterns = "/*", filterName = "loginFilter")
@Order(1)
public class LoginFilter implements Filter {
private Logger logger = LoggerFactory.getLogger(getClass());
private List<String> exclude = Arrays.asList("/gotoLogin", "/user/login");
private List<String> excludeEndWith = Arrays.asList(".js");
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletRequest req = (HttpServletRequest) servletRequest;
HttpServletResponse resp = (HttpServletResponse) servletResponse;
String url = req.getRequestURI().toString();
logger.info("this is MyFilter,url :" + url);
HttpSession session = req.getSession();
Map user = (Map) session.getAttribute("user");
if (user != null) {
logger.info("已经登录,放行");
chain.doFilter(request, resp);
} else {
boolean pass = false;
if(exclude.contains(url)){
pass = true;
}else{
for(String temp : excludeEndWith){
if(url.endsWith(temp)){
pass = true;
break;
}
}
}
if (pass) {
logger.info("用户在登录,放行");
chain.doFilter(request, resp);
} else {
logger.info("用户未登录,重定向");
Map res = new HashMap();
res.put("msg", "用户未登录");
resp.setContentType("application/json;charset=UTF-8");
PrintWriter out = resp.getWriter();
ObjectMapper mapper = new ObjectMapper();
String returnStr = mapper.writeValueAsString(res);
logger.info(returnStr);
out.print(returnStr);
out.flush();
out.close();
}
}
}
@Override
public void destroy() {
}
}
法二
跨域的设置一部分在 CorsConfig 类中,一部分在 filter 中,因为对于 filter 中登录失败的需要单独设置允许跨域。
package com.example.crosserver.util;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@Configuration
@EnableWebMvc
public class CorsConfig implements WebMvcConfigurer {
private Logger logger = LoggerFactory.getLogger(getClass());
@Override
public void addCorsMappings(CorsRegistry registry) {
//设置允许跨域的路径
registry.addMapping("/**")
//设置允许跨域请求的域名
.allowedOrigins("*")
//是否允许证书 不再默认开启
.allowCredentials(true)
//设置允许的方法
.allowedMethods("*")
//跨域允许时间
.maxAge(3600);
}
}
filter
注意:
resp.addHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "*"); 不生效,把请求中的 origin 放到这里后可以了。resp.addHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, req.getHeader(HttpHeaders.ORIGIN));
package com.example.crosserver.filter;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.web.servlet.ServletComponentScan;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@Component //将LoginFilter交给容器来处理。也就是让LoginFilter起作用
//这个使用来扫描@WebFilter 的让@WebFilter起作用。当然对于servlet线管注解也是可以的。
// 这个@ServletComponentScan最好卸载Apllication这个上面,通用配置。我这里因为只有一个Filter所以没有写在Application上面。
@ServletComponentScan
//针对于什么链接做过滤,filter的名称是为什么。
@WebFilter(urlPatterns = "/*", filterName = "loginFilter")
@Order(1)
public class LoginFilter implements Filter {
private Logger logger = LoggerFactory.getLogger(getClass());
private List<String> exclude = Arrays.asList("/gotoLogin", "/user/login");
private List<String> excludeEndWith = Arrays.asList(".js");
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletRequest req = (HttpServletRequest) servletRequest;
HttpServletResponse resp = (HttpServletResponse) servletResponse;
String url = req.getRequestURI().toString();
logger.info("this is MyFilter,url :" + url);
HttpSession session = req.getSession();
Map user = (Map) session.getAttribute("user");
if (user != null) {
logger.info("已经登录,放行");
chain.doFilter(request, resp);
} else {
boolean pass = false;
if(exclude.contains(url)){
pass = true;
}else{
for(String temp : excludeEndWith){
if(url.endsWith(temp)){
pass = true;
break;
}
}
}
if (pass) {
logger.info("用户在登录,放行");
chain.doFilter(request, resp);
} else {
//allow_origin设置成*不起作用,但是设置成原来的origin就可以了,这里很奇怪
resp.addHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, req.getHeader(HttpHeaders.ORIGIN));
resp.addHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS, "*");
resp.addHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "*");
resp.addHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE, "1800");
resp.addHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
logger.info("用户未登录,重定向");
Map res = new HashMap();
res.put("msg", "用户未登录");
resp.setContentType("application/json;charset=UTF-8");
PrintWriter out = resp.getWriter();
ObjectMapper mapper = new ObjectMapper();
String returnStr = mapper.writeValueAsString(res);
logger.info(returnStr);
out.print(returnStr);
out.flush();
out.close();
}
}
}
@Override
public void destroy() {
}
}
欢迎来到这里!
我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。
注册 关于