[Spring Framework] CORS ์ ์ฉํ๊ธฐ - @CrossOrigin, <mvc:cors>, Filter
CORS๋?
test2.com:8080์ฌ์ดํธ์ test.com:18080 ์ฌ์ดํธ๋ ๋๋ฉ์ธ๊ณผ ํฌํธ๊ฐ ๋ค๋ฅด๋ค. ๋ฐ๋ผ์ test.com:18080์์ test2.com:8080์ฌ์ดํธ๋ก ์์ฒญ์ ๋ณด๋ด๊ฒ ๋๋ฉด ์๋์ ๊ฐ์ ์๋ฌ๋ฅผ ๋ง๋ ์ ์๋ค.
Access to XMLHttpRequest at 'http://domain1:8080/xxxxx' from origin 'http://test.com:18080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
http://localhost:8080/test/1 ๋ฅผ ๊ธฐ์ค์ผ๋ก ๋น๊ตํด๋ณด๋ฉด
URL | ์ถ์ฒ | ๋น๊ณ |
http://localhost:8080/test/2 | ๋์ผ์ถ์ฒ | protocol, host, port ๋์ผ |
http://localhost:8080/sample | ๋์ผ์ถ์ฒ | protocol, host, port ๋์ผ |
https://localhost:8080/test | ๋ค๋ฅธ์ถ์ฒ | protocol ๋ค๋ฆ |
http://localhost:18080/test/1 | ๋ค๋ฅธ์ถ์ฒ | port ๋ค๋ฆ |
http://test.com:8080/test/1 | ๋ค๋ฅธ์ถ์ฒ | host ๋ค๋ฆ |
protocol, host, port๊ฐ ๋ชจ๋ ๋์ผํ๋ฉด ๋์ผ์ถ์ฒ์ด๊ณ , ํ๋๋ผ๋ ๊ฐ์ง ์์ผ๋ฉด ๋ค๋ฅธ์ถ์ฒ์ด๋ค.
๋์ผ์ถ์ฒ๋ SOP(Same-Origin Policy)๋ก ์น๋ธ๋ผ์ฐ์ ์์์ ๋ณด์์ ์ด์๊ฐ ์์ง๋ง ๋ค๋ฅธ์ถ์ฒ์ ๊ฒฝ์ฐ ๋ณด์์ ์ด์๋ก ์ธํด ์น๋ธ๋ผ์ฐ์ ์์์ ์๋ฌ๋ฉ์์ง๊ฐ ์ถ๋ ฅ๋๊ณ , ์ด๋ฅผ ํด๊ฒฐํ๊ธฐ ์ํด์๋ CORS๋ฅผ ์ค์ ํด์ฃผ์ด์ผ ํ๋ค.
CORS๋ Cross-Origin Resource Sharing์ ์ค์๋ง๋ก ์ง์ญํ๋ฉด '๊ต์ฐจ ์ถ์ฒ ๋ฆฌ์์ค ๊ณต์ '๋ผ๊ณ ํด์ํ ์ ์๋ค. ์ฌ๊ธฐ์ '๊ต์ฐจ ์ถ์ฒ'๋ผ๊ณ ํ๋ ๊ฒ์ '๋ค๋ฅธ ์ถ์ฒ'๋ฅผ ์๋ฏธํ๋ค. ๊ฐ๋จํ ๋งํ์๋ฉด CORS๋ ๋ค๋ฅธ ์ถ์ฒ์ ์ก์ธ์ค ํ ์ ์๊ฒํ๋ ๋ณด์ ๋ฉ์ปค๋์ฆ์ด๋ค.
test.com:18080 ์ฌ์ดํธ์์ test2.com:8080 ์ฌ์ดํธ์ ์์ธ์คํ ์ ์๋๋ก ํ๊ธฐ ์ํด์ ์๋ ๋ฐฉ๋ฒ ์ค ํ๋๋ฅผ ์ด์ฉํ์ฌ ์ค์ ํด์ผ ํ๋ค.
๋ฐฉ๋ฒ 1 - @CrossOrigin
@CrossOrigin(origins = "http://test.com")
์์ฒญ์ ๋ณด๋ด๋ client ์ฌ์ดํธ์ ๋๋ฉ์ธ์ ์ค์ ํด์ฃผ๋ฉด ๋๊ณ , Controller๋ Controller์ ๋ฉ์๋์ ์ถ๊ฐํ์ฌ ํน์ API๋ง๋ค ์ค์ ๊ฐ๋ฅํ๋ค.
Globalํ๊ฒ ์ค์ ํ๋ ค๋ฉด ๋ฐฉ๋ฒ2, ๋ฐฉ๋ฒ3์ ์ด์ฉํ๋ฉด ๋๋ค.
๋ฐฉ๋ฒ 2 - <mvc:cors>
servlet-context.xml์ ์๋ ์ฝ๋๋ฅผ ์ถ๊ฐํด์ฃผ์๋ค.
<mvc:cors>
<mvc:mapping path="/**" allowed-origins="*" allowed-methods="POST,GET" allow-credentials="true"/>
</mvc:cors>
- ํน์ ๋๋ฉ์ธ๋ง ํ์ฉํ๊ณ ์ ํ๋ค๋ฉด allowed-origins="http://test.com"๋ฅผ ์ค์ ํด์ฃผ๋ฉด ๋๋ค.
- ์ฌ๋ฌ ํน์ ๋๋ฉ์ธ์ ํ์ฉํ๊ณ ์ ํ๋ค๋ฉด allowed-origins="http://test.com, http://sample.com"๋ฅผ ์ค์ ํด์ฃผ๋ฉด ๋๋ค. (์ฝค๋ง๋ก ๊ตฌ๋ถ)
๋ฐฉ๋ฒ 3 - Filter
<filter>
<filter-name>corsFilter</filter-name>
<filter-class>com.dreamsecurity.framework.filter.CorsFilter</filter-class>
<init-param>
<param-name>allow-origin</param-name>
<param-value>http://sample.com:28080, http://test.com:18080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>corsFilter</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
public class CorsFilter implements Filter{
Logger logger = LogManager.getLogger(CorsFilter.class.getName());
private String allowOrigin;
@Override
public void init(FilterConfig filterConfig) throws ServletException {
this.allowOrigin = (String)filterConfig.getInitParameter("allow-origin");
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
if(allowOrigin != null) {
String[] allowOrigins = allowOrigin.split(",");
boolean isAllowOrigin = false;
for(String origin : allowOrigins) {
if(origin.equals(request.getHeader("Origin"))) {
isAllowOrigin = true;
break;
}
}
if(isAllowOrigin) {
response.setHeader("Access-Control-Allow-Origin", request.getHeader("Origin"));
response.setHeader("Access-Control-Allow-Credentials", "true"); //์ฟ ํค ์์ฒญ์ ํ์ฉ
response.setHeader("Access-Control-Allow-Methods","POST, GET"); //ํ์ฉํ HTTP ๋ฉ์๋
response.setHeader("Access-Control-Allow-Headers", "*"); //์์ฒญ์ ํ์ฉํ ํค๋
chain.doFilter(req, res);
}
}
}
@Override
public void destroy() {
// TODO Auto-generated method stub
}
}
๊ทธ๋ฆฌ๊ณ ์ธํฐ์ ํฐ๋ก ์ฒ๋ฆฌํ๋ ๋ฐฉ๋ฒ๋ ์๋ค๊ณ ํ๋ค.
Spring Boot์์ ์ฃผ๋ก WebMvcConfigurer ์์ cors ์ค์ ์ ํ๋๋ฐ ์ด๋ ์ถํ ํฌ์คํ ํ๋๊ฑธ๋ก..!