// 方法級別跨域配置
@RestController
public class ProductController {
    
    @CrossOrigin(origins = "http://localhost:3000")
    @GetMapping("/products")
    public List<Product> getProducts() {
        // 業(yè)務(wù)邏輯
    }
}

// 類級別跨域配置
@CrossOrigin(origins = "http://trusted-domain.com", maxAge = 3600)
@RestController
@RequestMapping("/api/v2")
public class OrderController {
    // 所有方法繼承類級別跨域配置
}

@Configuration
public class GlobalCorsConfig implements WebMvcConfigurer {
    
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        // 公共API配置
        registry.addMapping("/api/public/**")
            .allowedOrigins("*")
            .allowedMethods("GET", "POST")
            .maxAge(1800);
            
        // 管理后臺API配置
        registry.addMapping("/api/admin/**")
            .allowedOrigins("https://admin.example.com")
            .allowedMethods("*")
            .allowCredentials(true)
            .exposedHeaders("X-Auth-Token");
    }
}

@Configuration
@RefreshScope
public class DynamicCorsConfig implements WebMvcConfigurer {
    
    @Value("${cors.allowed-origins}")
    private String[] allowedOrigins;
    
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
            .allowedOrigins(allowedOrigins)
            // 其他配置...
    }
}

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class CustomCorsFilter implements Filter {
    
    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) 
        throws IOException, ServletException {
        
        HttpServletResponse response = (HttpServletResponse) res;
        HttpServletRequest request = (HttpServletRequest) req;
        
        // 動態(tài)源檢測
        String origin = request.getHeader("Origin");
        if (isAllowedOrigin(origin)) {
            response.setHeader("Access-Control-Allow-Origin", origin);
            response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
            response.setHeader("Access-Control-Max-Age", "3600");
            response.setHeader("Access-Control-Allow-Headers", "Authorization, Content-Type");
            response.setHeader("Access-Control-Expose-Headers", "X-Custom-Header");
            response.setHeader("Access-Control-Allow-Credentials", "true");
        }
        
        if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
            response.setStatus(HttpServletResponse.SC_OK);
        } else {
            chain.doFilter(req, res);
        }
    }
    
    private boolean isAllowedOrigin(String origin) {
        // 實現(xiàn)源驗證邏輯
    }
}

@Bean
public FilterRegistrationBean<CustomCorsFilter> corsFilterRegistration() {
    FilterRegistrationBean<CustomCorsFilter> registration = 
        new FilterRegistrationBean<>(new CustomCorsFilter());
    registration.setOrder(Ordered.HIGHEST_PRECEDENCE);
    registration.setName("customCorsFilter");
    return registration;
}

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .cors(withDefaults())  // 啟用默認CORS配置
            .csrf().disable()      // 根據(jù)需求決定是否禁用CSRF
            .authorizeRequests()
            .antMatchers("/api/public/**").permitAll()
            .anyRequest().authenticated();
    }
    
    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
        configuration.setAllowedMethods(Arrays.asList("*"));
        configuration.setAllowedHeaders(Arrays.asList("*"));
        configuration.setAllowCredentials(true);
        
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
}

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
    
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .cors().configurationSource(corsConfigurationSource())
            .and()
            .authorizeRequests()
            .antMatchers("/api/**").authenticated();
    }
    
    // CORS配置同上
}

@RestController
@RequestMapping("/dynamic")
public class DynamicCorsController {
    
    @GetMapping("/resource")
    public ResponseEntity<Resource> getResource(
            @RequestParam String token,
            HttpServletRequest request) {
        
        HttpHeaders headers = new HttpHeaders();
        if (isValidToken(token)) {
            headers.setAccessControlAllowOrigin(request.getHeader("Origin"));
            headers.setAccessControlAllowCredentials(true);
        } else {
            headers.setAccessControlAllowOrigin("https://trusted.example.com");
        }
        
        return ResponseEntity.ok()
            .headers(headers)
            .body(createResource());
    }
}

@RestController
public class PreflightController {
    
    @RequestMapping(value = "/complex", method = {RequestMethod.OPTIONS, RequestMethod.GET})
    public ResponseEntity<?> handleComplexRequest(HttpServletRequest request) {
        if (HttpMethod.OPTIONS.matches(request.getMethod())) {
            HttpHeaders headers = new HttpHeaders();
            headers.setAccessControlAllowOrigin("*");
            headers.setAccessControlAllowMethods(Arrays.asList("GET", "POST", "PUT"));
            return ResponseEntity.ok().headers(headers).build();
        }
        
        // 正常業(yè)務(wù)處理
        return ResponseEntity.ok("Complex Response");
    }
}

# application.yml
spring:
  cloud:
    gateway:
      globalcors:
        cors-configurations:
          '[/**]':
            allowedOrigins: "https://example.com"
            allowedMethods: "*"
            allowedHeaders: "*"
            allowCredentials: true
            maxAge: 3600

spring:
  cloud:
    gateway:
      routes:
      - id: product-service
        uri: lb://product-service
        predicates:
        - Path=/api/products/**
        filters:
        - name: Cors
          args:
            allowedOrigins: https://web.example.com
            allowedMethods: GET,POST
            
      - id: admin-service
        uri: lb://admin-service
        predicates:
        - Path=/api/admin/**
        filters:
        - name: Cors
          args:
            allowedOrigins: https://admin.example.com
            allowedMethods: "*"

server {
    listen 80;
    server_name api.example.com;
    
    location / {
        # 跨域配置
        add_header 'Access-Control-Allow-Origin' 'https://web.example.com';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,Content-Type';
        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
        add_header 'Access-Control-Allow-Credentials' 'true';
        
        if ($request_method = 'OPTIONS') {
            add_header 'Access-Control-Max-Age' 1728000;
            add_header 'Content-Type' 'text/plain; charset=utf-8';
            add_header 'Content-Length' 0;
            return 204;
        }
        
        proxy_pass http://springboot-app:8080;
    }
}

map $http_origin $cors_origin {
    default "";
    "~^https://(.*\.)?example\.com$" $http_origin;
    "~^http://localhost(:[0-9]+)?$" $http_origin;
}

server {
    # ...
    add_header 'Access-Control-Allow-Origin' $cors_origin;
}

@RestController
@CrossOrigin(origins = "*", allowedHeaders = "*")
public class ReactiveController {
    
    @GetMapping("/flux")
    public Flux<Data> getFluxData() {
        return dataService.streamData();
    }
}

@Configuration
public class GlobalCorsConfig implements WebFluxConfigurer {
    
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
            .allowedOrigins("https://example.com")
            .allowedMethods("GET", "POST")
            .maxAge(3600);
    }
}

@Configuration
public class RouterConfig {
    
    @Bean
    public RouterFunction<ServerResponse> route(Handler handler) {
        return RouterFunctions.route()
            .GET("/functional", handler::handle)
            .filter((request, next) -> {
                ServerResponse response = next.handle(request);
                return response
                    .header("Access-Control-Allow-Origin", "*")
                    .header("Access-Control-Allow-Methods", "GET");
            })
            .build();
    }
}

@Configuration
public class ActuatorCorsConfig {
    
    @Bean
    public WebMvcConfigurer actuatorCorsConfigurer() {
        return new WebMvcConfigurer() {
            @Override
            public void addCorsMappings(CorsRegistry registry) {
                registry.addMapping("/actuator/**")
                    .allowedOrigins("https://monitor.example.com")
                    .allowedMethods("GET")
                    .allowCredentials(true);
            }
        };
    }
}

@Configuration
public class HybridCorsConfig implements WebMvcConfigurer {
    
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        // API接口配置
        registry.addMapping("/api/**")
            .allowedOrigins("https://external.example.com")
            .allowedMethods("*");
            
        // 內(nèi)部Web接口配置
        registry.addMapping("/web/**")
            .allowedOrigins("https://portal.example.com")
            .allowCredentials(true);
    }
}

@Configuration
public class ResourceConfig implements WebMvcConfigurer {
    
    @Override
    public void addResourceHandlers(ResourceHandlerRegistry registry) {
        registry.addResourceHandler("/static/**")
            .addResourceLocations("classpath:/static/")
            .setCachePeriod(3600)
            .resourceChain(true)
            .addResolver(new PathResourceResolver() {
                @Override
                protected Resource getResource(String resourcePath, 
                    Resource location) throws IOException {
                    Resource requestedResource = location.createRelative(resourcePath);
                    return requestedResource.exists() && requestedResource.isReadable() 
                        ? requestedResource : new ClassPathResource("/static/index.html");
                }
            });
    }
}

// 基于租戶標識的動態(tài)CORS配置
public class TenantAwareCorsFilter implements Filter {
    
    @Autowired
    private TenantConfigRepository configRepo;
    
    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) 
        throws IOException, ServletException {
        
        HttpServletRequest request = (HttpServletRequest) req;
        String tenantId = extractTenantId(request);
        TenantConfig config = configRepo.findByTenantId(tenantId);
        
        if (config != null) {
            HttpServletResponse response = (HttpServletResponse) res;
            response.setHeader("Access-Control-Allow-Origin", config.getAllowedOrigin());
            // 其他動態(tài)配置...
        }
        
        chain.doFilter(req, res);
    }
}

@Configuration
public class ClientSpecificCorsConfig implements WebMvcConfigurer {
    
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        // 移動端API配置
        registry.addMapping("/api/mobile/**")
            .allowedOrigins("https://mobile-app.example.com")
            .allowedMethods("GET", "POST")
            .exposedHeaders("X-App-Version");
            
        // Web端API配置
        registry.addMapping("/api/web/**")
            .allowedOrigins("https://portal.example.com")
            .allowCredentials(true)
            .maxAge(86400);
    }
}

@RestController
@RequestMapping("/canary")
public class CanaryApiController {
    
    @GetMapping("/feature")
    public ResponseEntity<?> getFeature(
            @RequestHeader("Origin") String origin,
            @RequestParam String version) {
        
        HttpHeaders headers = new HttpHeaders();
        if ("v2".equals(version) && origin.endsWith(".beta.example.com")) {
            headers.setAccessControlAllowOrigin(origin);
        } else {
            headers.setAccessControlAllowOrigin("https://prod.example.com");
        }
        
        return ResponseEntity.ok()
            .headers(headers)
            .body(canaryService.getFeature(version));
    }
}

map $http_origin $cors_header {
    default "";
    "~^https://(.*\.)?example\.com$" "$http_origin";
}

server {
    # 使用變量減少配置重復(fù)
    add_header 'Access-Control-Allow-Origin' $cors_header always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
    add_header 'Access-Control-Max-Age' '86400' always;
}

spring:
  cloud:
    gateway:
      default-filters:
        - name: RequestRateLimiter
          args:
            redis-rate-limiter.replenishRate: 100
            redis-rate-limiter.burstCapacity: 200
        - name: CircuitBreaker
          args:
            name: corsFallback
            fallbackUri: forward:/fallback/cors

public class OriginValidator {
    private static final Pattern DOMAIN_PATTERN = 
        Pattern.compile("^https://([a-z0-9]+[.])*example[.]com$");
    
    public static boolean isValid(String origin) {
        return origin != null && DOMAIN_PATTERN.matcher(origin).matches();
    }
}

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .cors().configurationSource(corsConfigurationSource()).and()
            .csrf(csrf -> csrf
                .ignoringAntMatchers("/api/public/**")
                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()))
            .authorizeRequests()
            // 其他配置...
    }
}

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
        .headers(headers -> headers
            .contentSecurityPolicy(csp -> csp
                .policyDirectives("default-src 'self'; script-src 'self' https://trusted.cdn.com"))
            .frameOptions().sameOrigin()
            .httpStrictTransportSecurity()
                .includeSubDomains(true)
                .maxAgeInSeconds(31536000))
        // 其他配置...
    return http.build();
}