springmvc解决跨域问题
第一种方法:
跨域实现类
- package com.sq.filter;
- import org.springframework.stereotype.Component;
- import javax.servlet.*;
- import javax.servlet.http.HttpServlet;
- import javax.servlet.http.HttpServletResponse;
- import java.io.IOException;
- @Component
- public class AccessFilter extends HttpServlet implements Filter {
- private static final long serialVersionUID = 1L;
- @Override
- public void init(FilterConfig filterConfig) throws ServletException {
- }
- @Override
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
- HttpServletResponse httpResponse = (HttpServletResponse) response;
- httpResponse.setHeader("Access-Control-Allow-Origin", "*");
- httpResponse.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
- httpResponse.setHeader("Access-Control-Max-Age", "1800");
- httpResponse.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
- httpResponse.setHeader("Access-Control-Allow-Credentials", "true");
- chain.doFilter(request, httpResponse);
- }
- }
- <filter>
- <filter-name>crosfilter-name>
- <filter-class>com.sq.filter.AccessFilterfilter-class>
- filter>
- <filter-mapping>
- <filter-name>crosfilter-name>
- <url-pattern>/*url-pattern>
- filter-mapping>
第二种方法:
cros跨域配置
前端应用为静态站点且部署在http://web.xxx.com域下,后端应用发布REST API并部署在http://api.xxx.com域下,如何使前端应用通过AJAX跨域访问后端应用呢?这需要使用到CORS技术来实现,这也是目前最好的解决方案了。
[CORS全称为Cross Origin Resource Sharing(跨域资源共享),服务端只需添加相关响应头信息,即可实现客户端发出AJAX跨域请求。]
CORS技术非常简单,易于实现,目前绝大多数浏览器均已支持该技术(IE8浏览器也支持了),服务端可通过任何编程语言来实现,只要能将CORS响应头写入response对象中即可。
下面我们继续扩展REST框架,通过CORS技术实现AJAX跨域访问。
首先,我们需要编写一个Filter,用于过滤所有的HTTP请求,并将CORS响应头写入response对象中,代码如下:
- public class CorsFilter implements Filter {
- private String allowOrigin;
- private String allowMethods;
- private String allowCredentials;
- private String allowHeaders;
- private String exposeHeaders;
- @Override
- public void init(FilterConfig filterConfig) throws ServletException {
- allowOrigin = filterConfig.getInitParameter("allowOrigin");
- allowMethods = filterConfig.getInitParameter("allowMethods");
- allowCredentials = filterConfig.getInitParameter("allowCredentials");
- allowHeaders = filterConfig.getInitParameter("allowHeaders");
- exposeHeaders = filterConfig.getInitParameter("exposeHeaders");
- }
- @Override
- public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
- HttpServletRequest request = (HttpServletRequest) req;
- HttpServletResponse response = (HttpServletResponse) res;
- if (StringUtil.isNotEmpty(allowOrigin)) {
- List
allowOriginList = Arrays.asList(allowOrigin.split(",")); - if (CollectionUtil.isNotEmpty(allowOriginList)) {
- String currentOrigin = request.getHeader("Origin");
- if (allowOriginList.contains(currentOrigin)) {
- response.setHeader("Access-Control-Allow-Origin", currentOrigin);
- }
- }
- }
- if (StringUtil.isNotEmpty(allowMethods)) {
- response.setHeader("Access-Control-Allow-Methods", allowMethods);
- }
- if (StringUtil.isNotEmpty(allowCredentials)) {
- response.setHeader("Access-Control-Allow-Credentials", allowCredentials);
- }
- if (StringUtil.isNotEmpty(allowHeaders)) {
- response.setHeader("Access-Control-Allow-Headers", allowHeaders);
- }
- if (StringUtil.isNotEmpty(exposeHeaders)) {
- response.setHeader("Access-Control-Expose-Headers", exposeHeaders);
- }
- chain.doFilter(req, res);
- }
- @Override
- public void destroy() {
- }
- }
- Access-Control-Allow-Origin:允许访问的客户端域名,例如:http://web.xxx.com,若为*,则表示从任意域都能访问,即不做任何限制。
- Access-Control-Allow-Methods:允许访问的方法名,多个方法名用逗号分割,例如:GET,POST,PUT,DELETE,OPTIONS。
- Access-Control-Allow-Credentials:是否允许请求带有验证信息,若要获取客户端域下的cookie时,需要将其设置为true。
- Access-Control-Allow-Headers:允许服务端访问的客户端请求头,多个请求头用逗号分割,例如:Content-Type。
- Access-Control-Expose-Headers:允许客户端访问的服务端响应头,多个响应头用逗号分割。
需要注意的是,CORS规范中定义Access-Control-Allow-Origin只允许两种取值,要么为*,要么为具体的域名,也就是说,不支持同时配置多个域名。为了解决跨多个域的问题,需要在代码中做一些处理,这里将Filter初始化参数作为一个域名的集合(用逗号分隔),只需从当前请求中获取Origin请求头,就知道是从哪个域中发出的请求,若该请求在以上允许的域名集合中,则将其放入Access-Control-Allow-Origin响应头,这样跨多个域的问题就轻松解决了。
以下是web.xml中配置CorsFilter的方法:
- <filter>
- <filter-name>corsFilterfilter-name>
- <filter-class>com.xxx.api.cors.CorsFilterfilter-class>
- <init-param>
- <param-name>allowOriginparam-name>
- <param-value>http://web.xxx.comparam-value>
- init-param>
- <init-param>
- <param-name>allowMethodsparam-name>
- <param-value>GET,POST,PUT,DELETE,OPTIONSparam-value>
- init-param>
- <init-param>
- <param-name>allowCredentialsparam-name>
- <param-value>trueparam-value>
- init-param>
- <init-param>
- <param-name>allowHeadersparam-name>
- <param-value>Content-Typeparam-value>
- init-param>
- filter>
- <filter-mapping>
- <filter-name>corsFilterfilter-name>
- <url-pattern>/*url-pattern>
- filter-mapping>
第三种方法:
try {
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
// 跨域
String origin = httpRequest.getHeader("Origin");
if (origin == null) {
httpResponse.addHeader("Access-Control-Allow-Origin", "*");
} else {
httpResponse.addHeader("Access-Control-Allow-Origin", origin);
}
httpResponse.addHeader("Access-Control-Allow-Headers", "Origin, x-requested-with, Content-Type, Accept,X-Cookie");
httpResponse.addHeader("Access-Control-Allow-Credentials", "true");
httpResponse.addHeader("Access-Control-Allow-Methods", "GET,POST,PUT,OPTIONS,DELETE");
if ( httpRequest.getMethod().equals("OPTIONS") ) {
httpResponse.setStatus(HttpServletResponse.SC_OK);
return;
}
chain.doFilter(request, response);
} catch (Exception e) {
errorLogger.error("Exception in crossDomainFilter.doFilter", e);
throw e;
}
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
// 跨域
String origin = httpRequest.getHeader("Origin");
if (origin == null) {
httpResponse.addHeader("Access-Control-Allow-Origin", "*");
} else {
httpResponse.addHeader("Access-Control-Allow-Origin", origin);
}
httpResponse.addHeader("Access-Control-Allow-Headers", "Origin, x-requested-with, Content-Type, Accept,X-Cookie");
httpResponse.addHeader("Access-Control-Allow-Credentials", "true");
httpResponse.addHeader("Access-Control-Allow-Methods", "GET,POST,PUT,OPTIONS,DELETE");
if ( httpRequest.getMethod().equals("OPTIONS") ) {
httpResponse.setStatus(HttpServletResponse.SC_OK);
return;
}
chain.doFilter(request, response);
} catch (Exception e) {
errorLogger.error("Exception in crossDomainFilter.doFilter", e);
throw e;
}
第四种方法(不过没有经过实际验证):
spring mvc 支持options方法
在web.xml中,添加
- <init-param>
- <param-name>dispatchOptionsRequestparam-name>
- <param-value>trueparam-value>
- init-param>
添加后
- <servlet>
- <servlet-name>springdispatcherservlet-name>
- <servlet-class>org.springframework.web.servlet.DispatcherServletservlet-class>
- <init-param>
- <param-name>contextConfigLocationparam-name>
- <param-value>classpath:springMvc-viewresolver.xmlparam-value>
- init-param>
- <init-param>
- <param-name>dispatchOptionsRequestparam-name>
- <param-value>trueparam-value>
- init-param>
- <load-on-startup>1load-on-startup>
- servlet>