背景

系统之前为一个单页应用提供过Rest接口，部署时这个单页应用与系统不在同一域内，出现跨域无法访问的问题。Spring 从 4.2 版本开始提供了@CrossOrigin注解，让这个问题的解决变得非常简单。

实现一

首先看下@CrossOrigin的源码（删掉了开头的部分注释）：

package org.springframework.web.bind.annotation;

import java.lang.annotation.Documented;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

import org.springframework.core.annotation.AliasFor;
import org.springframework.web.cors.CorsConfiguration;

/**
 * @author Russell Allen
 * @author Sebastien Deleuze
 * @author Sam Brannen
 * @since 4.2
 */
@Target({ ElementType.METHOD, ElementType.TYPE })
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface CrossOrigin {

    /**
     * @deprecated as of Spring 4.3.4, in favor of using {@link CorsConfiguration#applyPermitDefaultValues}
     */
    @Deprecated
    String[] DEFAULT_ORIGINS = { "*" };

    /**
     * @deprecated as of Spring 4.3.4, in favor of using {@link CorsConfiguration#applyPermitDefaultValues}
     */
    @Deprecated
    String[] DEFAULT_ALLOWED_HEADERS = { "*" };

    /**
     * @deprecated as of Spring 4.3.4, in favor of using {@link CorsConfiguration#applyPermitDefaultValues}
     */
    @Deprecated
    boolean DEFAULT_ALLOW_CREDENTIALS = true;

    /**
     * @deprecated as of Spring 4.3.4, in favor of using {@link CorsConfiguration#applyPermitDefaultValues}
     */
    @Deprecated
    long DEFAULT_MAX_AGE = 1800;


    /**
     * Alias for {@link #origins}.
     */
    @AliasFor("origins")
    String[] value() default {};

    /**
     * List of allowed origins, e.g. {@code "http://domain1.com"}.
     * <p>These values are placed in the {@code Access-Control-Allow-Origin}
     * header of both the pre-flight response and the actual response.
     * {@code "*"} means that all origins are allowed.
     * <p>If undefined, all origins are allowed.
     * @see #value
     */
    @AliasFor("value")
    String[] origins() default {};

    /**
     * List of request headers that can be used during the actual request.
     * <p>This property controls the value of the pre-flight response's
     * {@code Access-Control-Allow-Headers} header.
     * {@code "*"}  means that all headers requested by the client are allowed.
     * <p>If undefined, all requested headers are allowed.
     */
    String[] allowedHeaders() default {};

    /**
     * List of response headers that the user-agent will allow the client to access.
     * <p>This property controls the value of actual response's
     * {@code Access-Control-Expose-Headers} header.
     * <p>If undefined, an empty exposed header list is used.
     */
    String[] exposedHeaders() default {};

    /**
     * List of supported HTTP request methods, e.g.
     * {@code "{RequestMethod.GET, RequestMethod.POST}"}.
     * <p>Methods specified here override those specified via {@code RequestMapping}.
     * <p>If undefined, methods defined by {@link RequestMapping} annotation
     * are used.
     */
    RequestMethod[] methods() default {};

    /**
     * Whether the browser should include any cookies associated with the
     * domain of the request being annotated.
     * <p>Set to {@code "false"} if such cookies should not included.
     * An empty string ({@code ""}) means <em>undefined</em>.
     * {@code "true"} means that the pre-flight response will include the header
     * {@code Access-Control-Allow-Credentials=true}.
     * <p>If undefined, credentials are allowed.
     */
    String allowCredentials() default "";

    /**
     * The maximum age (in seconds) of the cache duration for pre-flight responses.
     * <p>This property controls the value of the {@code Access-Control-Max-Age}
     * header in the pre-flight response.
     * <p>Setting this to a reasonable value can reduce the number of pre-flight
     * request/response interactions required by the browser.
     * A negative value means <em>undefined</em>.
     * <p>If undefined, max age is set to {@code 1800} seconds (i.e., 30 minutes).
     */
    long maxAge() default -1;
}

从上面源码中可以看到，@CrossOrigin注解支持用于类和方法，访问IP默认为不限制，预检请求的有效期默认为1800秒，所以如不需指定IP和有效期，直接给需要支持跨域的类或方法添加注解即可：

@CrossOrigin
public JSONObject myMethod(...) {
    ...
}

但是事情肯定不会这么简单。。。

实现二

真正的需求是要通过配置文件配置IP白名单，白名单内允许跨域访问。然鹅，由于注解的参数无法动态赋值，IP地址这种参数也不能硬编码，所以@CrossOrigin就被我无情的抛弃了，转而通过Filter来实现：

import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.web.servlet.ServletComponentScan;
import org.springframework.stereotype.Component;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletResponse;

import java.io.IOException;

@Component
@ServletComponentScan
@WebFilter(urlPatterns = "/*", filterName = "domainFilter")
public class DomainFilter implements Filter {

    @Value("${allow-origin}")
    private String domain;

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest servletRequest,
            ServletResponse servletResponse, FilterChain filterChain)
            throws IOException, ServletException {
        HttpServletResponse response = (HttpServletResponse) servletResponse;
        if (!domain.startsWith("http://") && !domain.startsWith("https://")) {
            domain = "http://" + domain;
        }
        response.setHeader("Access-Control-Allow-Origin", domain);
        response.setHeader("Access-Control-Allow-Methods",
                "POST, GET, OPTIONS, DELETE");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "x-requested-with");
        filterChain.doFilter(servletRequest, servletResponse);
    }

    @Override
    public void destroy() {

    }
}

在本类添加@ServletComponentScan注解，或在Spring Boot启动类添加注解并配置参数覆盖到本类路径，即可生效。
别忘了在配置文件中添加配置项：

allow-origin=10.110.16.151