本次配置基於springboot 配置:
1. 加入maven 依賴
<dependency>
<groupId>com.thetransactioncompany</groupId>
<artifactId>cors-filter</artifactId>
<version>2.6</version>
</dependency>
2. springboot 注冊 filter
import com.thetransactioncompany.cors.CORSFilter; import org.springframework.boot.context.properties.ConfigurationProperties; import org.springframework.boot.web.servlet.FilterRegistrationBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; @Configuration @ConfigurationProperties(prefix = "cors") public class CorsConfiguration { private String legalClients ; public void setLegalClients(String legalClients) { this.legalClients = legalClients; } @Bean public FilterRegistrationBean someFilterRegistration() { FilterRegistrationBean registration = new FilterRegistrationBean(); registration.addInitParameter("cors.allowSubdomains","true"); // 是否開啟二級域名跨域 registration.addInitParameter("cors.allowOrigin",legalClients);// 放行的域名list 以"," 號分割 registration.addUrlPatterns("/*"); CORSFilter corsFilter= new CORSFilter(); registration.setName("CORSFilter"); registration.setFilter(corsFilter); return registration; } }
3. springboot application.yml 配置
cors: legal-clients: https://h5.shanhulicai.cn,https://p.blackfish.cn,https://depo.xwbank.com,http://omniaccount.com
完成配置。
---------------------------------------------------------------------------------------
簡單解析跨域配置原理:
1. 瀏覽器會判斷跨域訪問發送options預請,附帶header origin = http://omniaccount.com ;
2. 服務器收到 option會檢測放心原則如下:
·1)判斷是否開啟了 allowAnyOrigin = true
2) 判斷是否在允許放行的 list 列表集合內(legal-clients)
3)判斷是否開啟了允許二級域名跨域配置且請求域名在允許的列表內
服務器如果判斷為false ,會發送 403 CORS origin denied, 為true 會發送 200 ,跨域放行
3.瀏覽器判斷如果200,返回成功,繼續后續的實際請求