在过滤器里面添加头就可以了,但是会碰到下面的问题:
. A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'http://localhost' is therefore not allowed access. The credentials mode of an XMLHttpRequest is controlled by the withCredentials attribute.
当前端请求有参数:
withCredentials: true的时候会出现上述问题,因为浏览器的安全策略,当允许 credentials 的时候,Access-Control-Allow-Origin 值不能是*,而必须是一个指定的域名, 那么如何针对不同的访问设定对应的跨源允许域呢?
HTTP 中的Referer能很好地实现该需求,当在一个域下发起一个 CORS 请求时,HTTP 请求头的 Referer 值会自动被设置为当前页面域,此时只要在服务器端读取 Referer 值,构造出相应的 Access-Control-Allow-Origin 值即可,参考下面代码
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
String referer = req.getHeader("referer");
HttpServletResponse res = (HttpServletResponse) response;
if (!StringUtils.isEmpty(referer)) {
try {
res.setHeader("Access-Control-Allow-Origin", getHost(referer));
} catch (Exception e) {
log.error(e.getMessage(), e);
res.setHeader("Access-Control-Allow-Origin", "*");
}
} else {
res.setHeader("Access-Control-Allow-Origin", "*");
}
res.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE");
res.setHeader("Access-Control-Max-Age", "3600");
res.setHeader("Access-Control-Allow-Headers", "Content-Type, token, nonce, signature, uid");
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
// 防止流读取一次后就没有了, 所以需要将流继续写出去
ServletRequest requestWrapper = new BodyReaderHttpServletRequestWrapper(httpServletRequest);
chain.doFilter(requestWrapper, response);
}
private String getHost(String referer) {
String split = "/";
String[] ss = referer.split(split);
return ss[0] + split + ss[1] + split + ss[2];
}
网友评论