Spring @CrossOrigin注解原理是什么

问题起源

• 在Postman调用接口中，忘记设置Origin，发现@CrossOrigin未生效（响应头没有cors的）
• 在filter中设置了Access-Control-Allow-Origin发现@CrossOrigin未生效（响应头没有cors的）

原理分析

先说原理：其实很简单，就是利用spring的拦截器实现往response里添加 Access-Control-Allow-Origin等响应头信息，我们可以看下spring是怎么做的

注：这里使用的spring版本为5.0.6

我们可以先往RequestMappingHandlerMapping 的initCorsConfiguration方法打一个断点，发现方法调用情况如下

如果controller在类上标了@CrossOrigin或在方法上标了@CrossOrigin注解，则spring 在记录mapper映射时会记录对应跨域请求映射，代码如下

    protected CorsConfiguration initCorsConfiguration(Object handler, Method method, RequestMappingInfo mappingInfo) {
        HandlerMethod handlerMethod = createHandlerMethod(handler, method);
        Class<?> beanType = handlerMethod.getBeanType();
        //获取handler上的CrossOrigin 注解
        CrossOrigin typeAnnotation = AnnotatedElementUtils.findMergedAnnotation(beanType, CrossOrigin.class);
        //获取handler 方法上的CrossOrigin 注解
        CrossOrigin methodAnnotation = AnnotatedElementUtils.findMergedAnnotation(method, CrossOrigin.class);

        if (typeAnnotation == null && methodAnnotation == null) {
            //如果类上和方法都没标CrossOrigin 注解，则返回一个null
            return null;
        }
        //构建一个CorsConfiguration 并返回
        CorsConfiguration config = new CorsConfiguration();
        updateCorsConfig(config, typeAnnotation);
        updateCorsConfig(config, methodAnnotation);

        if (CollectionUtils.isEmpty(config.getAllowedMethods())) {
            for (RequestMethod allowedMethod : mappingInfo.getMethodsCondition().getMethods()) {
                config.addAllowedMethod(allowedMethod.name());
            }
        }
        return config.applyPermitDefaultValues();
    }

将结果返回到了AbstractHandlerMethodMapping#register，主要代码如下

    CorsConfiguration corsConfig = initCorsConfiguration(handler, method, mapping);
                if (corsConfig != null) {
        //会保存handlerMethod处理跨域请求的配置
        this.corsLookup.put(handlerMethod, corsConfig);
    }

当一个跨域请求过来时，spring在获取handler时会判断这个请求是否是一个跨域请求，如果是，则会返回一个可以处理跨域的handler

    //AbstractHandlerMapping#getHandler
    HandlerExecutionChain executionChain = getHandlerExecutionChain(handler, request);
    //如果是一个跨域请求
if (CorsUtils.isCorsRequest(request)) {
        //拿到跨域的全局配置
        CorsConfiguration globalConfig = this.globalCorsConfigSource.getCorsConfiguration(request);
        //拿到hander的跨域配置
        CorsConfiguration handlerConfig = getCorsConfiguration(handler, request);
        CorsConfiguration config = (globalConfig != null ? globalConfig.combine(handlerConfig) : handlerConfig);
        //处理跨域（即往响应头添加Access-Control-Allow-Origin信息等），并返回对应的handler对象
        executionChain = getCorsHandlerExecutionChain(request, executionChain, config);
    }

我们可以看下如何判定一个请求是一个跨域请求，（可以知道为什么没有设置origin就没有走跨域了）

    public static boolean isCorsRequest(HttpServletRequest request) {
    //判定请求头是否有Origin 属性即可
        return (request.getHeader(HttpHeaders.ORIGIN) != null);
    }

那么，CorsConfiguration在什么时候生效呢，为什么提前设置了Access-Control-Allow-Origin，@CrossOrigin就不生效了呢

源码分析

对于CorsConfiguration的解析以及处理是在DefaultCorsProcessor#processRequest中进行的：

    public boolean processRequest(@Nullable CorsConfiguration config, HttpServletRequest request, HttpServletResponse response) throws IOException {
        if (!CorsUtils.isCorsRequest(request)) {
            return true;
        } else {
            ServletServerHttpResponse serverResponse = new ServletServerHttpResponse(response);
            //判断是否已经有Access-Control-Allow-Origin，有的话则不处理跨域配置
            if (this.responseHasCors(serverResponse)) {
                logger.trace("Skip: response already contains \"Access-Control-Allow-Origin\"");
                return true;
            } else {
                ServletServerHttpRequest serverRequest = new ServletServerHttpRequest(request);
                //判断是否是同源，是同源，则不处理跨域配置
                if (WebUtils.isSameOrigin(serverRequest)) {
                    logger.trace("Skip: request is from same origin");
                    return true;
                } else {
                    //是否是预检请求
                    boolean preFlightRequest = CorsUtils.isPreFlightRequest(request);
                    if (config == null) {
                        if (preFlightRequest) {
                            this.rejectRequest(serverResponse);
                            return false;
                        } else {
                            return true;
                        }
                    } else {
                        //处理跨域配置
                        return this.handleInternal(serverRequest, serverResponse, config, preFlightRequest);
                    }
                }
            }
        }
    }

判断是否已经有Access-Control-Allow-Origin的responseHasCors方法：

    private boolean responseHasCors(ServerHttpResponse response) {
        try {
            return response.getHeaders().getAccessControlAllowOrigin() != null;
        } catch (NullPointerException var3) {
            return false;
        }
    }

判断是否是同源的请求，看一下WebUtils.isSameOrigin方法：

 判断是预检查请求，看一下isPreFlightRequest方法，主要是判断是否有Origin以及Access-Control-Request-Methods是否存在：

public abstract class CorsUtils {
    public CorsUtils() {
    }

    public static boolean isCorsRequest(HttpServletRequest request) {
        return request.getHeader("Origin") != null;
    }

    public static boolean isPreFlightRequest(HttpServletRequest request) {
        return isCorsRequest(request) && HttpMethod.OPTIONS.matches(request.getMethod()) && request.getHeader("Access-Control-Request-Method") != null;
    }
}

最后，处理整个CORS配置：

    protected boolean handleInternal(ServerHttpRequest request, ServerHttpResponse response, CorsConfiguration config, boolean preFlightRequest) throws IOException {
        String requestOrigin = request.getHeaders().getOrigin();
        String allowOrigin = this.checkOrigin(config, requestOrigin);
        HttpHeaders responseHeaders = response.getHeaders();
        responseHeaders.addAll("Vary", Arrays.asList("Origin", "Access-Control-Request-Method", "Access-Control-Request-Headers"));
        if (allowOrigin == null) {
            logger.debug("Reject: '" + requestOrigin + "' origin is not allowed");
            this.rejectRequest(response);
            return false;
        } else {
            HttpMethod requestMethod = this.getMethodToUse(request, preFlightRequest);
            List<HttpMethod> allowMethods = this.checkMethods(config, requestMethod);
            if (allowMethods == null) {
                logger.debug("Reject: HTTP '" + requestMethod + "' is not allowed");
                this.rejectRequest(response);
                return false;
            } else {
                List<String> requestHeaders = this.getHeadersToUse(request, preFlightRequest);
                List<String> allowHeaders = this.checkHeaders(config, requestHeaders);
                if (preFlightRequest && allowHeaders == null) {
                    logger.debug("Reject: headers '" + requestHeaders + "' are not allowed");
                    this.rejectRequest(response);
                    return false;
                } else {
                    responseHeaders.setAccessControlAllowOrigin(allowOrigin);
                    if (preFlightRequest) {
                        responseHeaders.setAccessControlAllowMethods(allowMethods);
                    }

                    if (preFlightRequest && !allowHeaders.isEmpty()) {
                        responseHeaders.setAccessControlAllowHeaders(allowHeaders);
                    }

                    if (!CollectionUtils.isEmpty(config.getExposedHeaders())) {
                        responseHeaders.setAccessControlExposeHeaders(config.getExposedHeaders());
                    }

                    if (Boolean.TRUE.equals(config.getAllowCredentials())) {
                        responseHeaders.setAccessControlAllowCredentials(true);
                    }

                    if (preFlightRequest && config.getMaxAge() != null) {
                        responseHeaders.setAccessControlMaxAge(config.getMaxAge());
                    }

                    response.flush();
                    return true;
                }
            }
        }
    }

 

转发请注明出处：https://www.cnblogs.com/fnlingnzb-learner/p/16921420.html