Springboot升级至2.4.0中出现的跨域问题，分析以及修改

最新推荐文章于 2025-04-11 17:44:39 发布

原创

最新推荐文章于 2025-04-11 17:44:39 发布 · 5.5k 阅读

18 ·

CC 4.0 BY-SA版权

文章标签：

#spring #spring boot

博客聚焦Spring Boot升级至2.4.0出现的跨域问题。对比2.3.5.RELEASE与2.4.0版本对应Spring版本，分析2.3.5.RELEASE设置跨域代码，深入剖析5.3.x源码中CorsFilter等方法。指出2.4.0版本按原设置访问API会报错，并给出两种修改方式。

问题

Springboot升级至2.4.0中出现的跨域问题。
在Springboot 2.4.0版本之前使用的是2.3.5.RELEASE，对应的Spring版本为5.2.10.RELEASE。
升级至2.4.0后，对应的Spring版本为5.3.1。
Springboot2.3.5.RELEASE时，我们可以使用CorsFilter设置跨域。

分析

版本2.3.5.RELEASE 设置跨域

设置代码如下：

@Configuration
public class ResourcesConfig implements WebMvcConfigurer {
   
   
    @Bean
    public CorsFilter corsFilter() {
   
   
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
        // 允许访问的客户端域名
        config.addAllowedOrigin("*");
        // 允许服务端访问的客户端请求头
        config.addAllowedHeader("*");
        // 允许访问的方法名,GET POST等
        config.addAllowedMethod("*");
        // 对接口配置跨域设置
        source.registerCorsConfiguration("/**" , config);
        return new CorsFilter(source);
    }
}

是允许使用*设置允许的Origin。
这里我们看一下类CorsFilter的源码，5.3.x版本开始，针对CorsConfiguration新增了校验

5.3.x源码分析

CorsFilter

/**
 * {@link javax.servlet.Filter} to handle CORS pre-flight requests and intercept
 * CORS simple and actual requests with a {@link CorsProcessor}, and to update
 * the response, e.g. with CORS response headers, based on the policy matched
 * through the provided {@link CorsConfigurationSource}.
 *
 * <p>This is an alternative to configuring CORS in the Spring MVC Java config
 * and the Spring MVC XML namespace. It is useful for applications depending
 * only on spring-web (not on spring-webmvc) or for security constraints that
 * require CORS checks to be performed at {@link javax.servlet.Filter} level.
 *
 * <p>This filter could be used in conjunction with {@link DelegatingFilterProxy}
 * in order to help with its initialization.
 *
 * @author Sebastien Deleuze
 * @since 4.2
 * @see <a href="https://www.w3.org/TR/cors/">CORS W3C recommendation</a>
 * @see UrlBasedCorsConfigurationSource
 */
public class CorsFilter extends OncePerRequestFilter {
   
   

	private final CorsConfigurationSource configSource;

	private CorsProcessor processor = new DefaultCorsProcessor();


	/**
	 * Constructor accepting a {@link CorsConfigurationSource} used by the filter
	 * to find the {@link CorsConfiguration} to use for each incoming request.
	 * @see UrlBasedCorsConfigurationSource
	 */
	public CorsFilter(CorsConfigurationSource configSource) {
   
   
		Assert.notNull(configSource, "CorsConfigurationSource must not be null");
		this.configSource = configSource;
	}


	/**
	 * Configure a custom {@link CorsProcessor} to use to apply the matched
	 * {@link CorsConfiguration} for a request.
	 * <p>By default {@link DefaultCorsProcessor} is used.
	 */
	public void setCorsProcessor(CorsProcessor processor) {
   
   
		Assert.notNull(processor, "CorsProcessor must not be null");
		this.processor = processor;
	}


	@Override
	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
			FilterChain filterChain) throws ServletException, IOException {
   
   

		CorsConfiguration corsConfiguration = this.configSource.getCorsConfiguration(request);
		boolean isValid = this.processor.processRequest(corsConfiguration, request, response);
		if (!isValid || CorsUtils.isPreFlightRequest(request