java接⼝⽩名单,SpringBootHTTP接⼝跨域调⽤及⽩名单实现背景芈月和嬴政
系统之前为⼀个单页应⽤提供过Rest接⼝,部署时这个单页应⽤与系统不在同⼀域内,出现跨域⽆法访问的问题。Spring 从 4.2 版本开始提供了@CrossOrigin注解,让这个问题的解决变得⾮常简单。
实现⼀
⾸先看下@CrossOrigin的源码(删掉了开头的部分注释):
package org.springframework.web.bind.annotation;
import java.lang.annotation.Documented;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import annotation.AliasFor;
import org.s.CorsConfiguration;
/**
* @author Rusll Allen
* @author Sebastien Deleuze
* @author Sam Brannen
* @since 4.2
*/
@Target({ ElementType.METHOD, ElementType.TYPE })
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface CrossOrigin {
/
**
* @deprecated as of Spring 4.3.4, in favor of using {@link CorsConfiguration#applyPermitDefaultValues}
*/
@Deprecated
String[] DEFAULT_ORIGINS = { "*" };
/**
* @deprecated as of Spring 4.3.4, in favor of using {@link CorsConfiguration#applyPermitDefaultValues}
*/
@Deprecated
String[] DEFAULT_ALLOWED_HEADERS = { "*" };
/**
* @deprecated as of Spring 4.3.4, in favor of using {@link CorsConfiguration#applyPermitDefaultValues} */
@Deprecated
boolean DEFAULT_ALLOW_CREDENTIALS = true;
/**
* @deprecated as of Spring 4.3.4, in favor of using {@link CorsConfiguration#applyPermitDefaultValues} */
@Deprecated
long DEFAULT_MAX_AGE = 1800;
/**
* Alias for {@link #origins}.
*/
请指示@AliasFor("origins")
String[] value() default {};
/**
* List of allowed origins, e.g. {@code ""}.
*
The values are placed in the {@code Access-Control-Allow-Origin}
* header of both the pre-flight respon and the actual respon.
* {@code "*"} means that all origins are allowed.
*
If undefined, all origins are allowed.
* @e #value
*/
@AliasFor("value")
String[] origins() default {};
/**
* List of request headers that can be ud during the actual request.
*
This property controls the value of the pre-flight respon's
* {@code Access-Control-Allow-Headers} header.
* {@code "*"} means that all headers requested by the client are allowed.
立春的寓意*
If undefined, all requested headers are allowed.
*/
String[] allowedHeaders() default {};
/**
* List of respon headers that the ur-agent will allow the client to access.
*
This property controls the value of actual respon's
* {@code Access-Control-Expo-Headers} header.
*
If undefined, an empty expod header list is ud.
*/
String[] expodHeaders() default {};
/**
* List of supported HTTP request methods, e.g.
* {@code "{RequestMethod.GET, RequestMethod.POST}"}.
*
Methods specified here override tho specified via {@code RequestMapping}. *
If undefined, methods defined by {@link RequestMapping} annotation
* are ud.
*/
RequestMethod[] methods() default {};
/**
* Whether the browr should include any cookies associated with the
* domain of the request being annotated.
*
Set to {@code "fal"} if such cookies should not included.
* An empty string ({@code ""}) means undefined.
* {@code "true"} means that the pre-flight respon will include the header
* {@code Access-Control-Allow-Credentials=true}.
*
If undefined, credentials are allowed.
真与假*/
String allowCredentials() default "";
/
**
* The maximum age (in conds) of the cache duration for pre-flight respons.
*什么也不说伴奏
This property controls the value of the {@code Access-Control-Max-Age}
* header in the pre-flight respon.
*
Setting this to a reasonable value can reduce the number of pre-flight
* request/respon interactions required by the browr.
* A negative value means undefined.
*
If undefined, max age is t to {@code 1800} conds (i.e., 30 minutes).
*/
long maxAge() default -1;
}
从上⾯源码中可以看到,@CrossOrigin注解⽀持⽤于类和⽅法,访问IP默认为不限制,预检请求的有效期默认为1800秒,所以如不需指定IP和有效期,直接给需要⽀持跨域的类或⽅法添加注解即可:
@CrossOrigin
public JSONObject myMethod(...) {英文经典老歌
...
}
但是事情肯定不会这么简单。。。
实现⼆
真正的需求是要通过配置⽂件配置IP⽩名单,⽩名单内允许跨域访问。然鹅,由于注解的参数⽆法动态赋值,IP地址这种参数也不能硬编码,所以@CrossOrigin就被我⽆情的抛弃了,转⽽通过Filter来实现:
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.web.rvlet.ServletComponentScan;
import org.springframework.stereotype.Component;
import javax.rvlet.Filter;
香港营业执照
import javax.rvlet.FilterChain;
import javax.rvlet.FilterConfig;
import javax.rvlet.ServletException;
import javax.rvlet.ServletRequest;
import javax.rvlet.ServletRespon;
import javax.rvlet.annotation.WebFilter;
import javax.rvlet.http.HttpServletRespon;
import java.io.IOException;
@Component
@ServletComponentScan
@WebFilter(urlPatterns = "/*", filterName = "domainFilter")
public class DomainFilter implements Filter {
@Value("${allow-origin}")
根号怎么输入private String domain;
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest rvletRequest,
ServletRespon rvletRespon, FilterChain filterChain)
throws IOException, ServletException {
HttpServletRespon respon = (HttpServletRespon) rvletRespon;
if (!domain.startsWith("") && !domain.startsWith("")) {
domain = "" + domain;
}
respon.tHeader("Access-Control-Allow-Origin", domain);
respon.tHeader("Access-Control-Allow-Methods",
"POST, GET, OPTIONS, DELETE");
respon.tHeader("Access-Control-Max-Age", "3600");
respon.tHeader("Access-Control-Allow-Headers", "x-requested-with");
filterChain.doFilter(rvletRequest, rvletRespon);
}
@Override
public void destroy() {
}
}
在本类添加@ServletComponentScan注解,或在Spring Boot启动类添加注解并配置参数覆盖到本类路径,即可⽣效。别忘了在配置⽂件中添加配置项:
allow-origin=10.110.16.151
