servlet过滤器实现跨域Access-Control-Allow-Origin

1.定义过滤器接口Filter的实现类,实现类中修改respone的头信息,把 “Access-Control-Allow-Origin” 的域名修改问请求方的域名,如下:

package filter;  

import java.io.IOException;  

import javax.servlet.Filter;  
import javax.servlet.FilterChain;  
import javax.servlet.FilterConfig;  
import javax.servlet.ServletException;  
import javax.servlet.ServletRequest;  
import javax.servlet.ServletResponse;  
import javax.servlet.http.HttpServletResponse;  


public class CORSFilter implements Filter {  

    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {  
        HttpServletResponse response = (HttpServletResponse) res;  
        response.setHeader("Access-Control-Allow-Origin", "<请求方域名如:http://www.sohu.com>");  
        response.setHeader("Access-Control-Allow-Methods", "POST, GET, PUT, OPTIONS, DELETE");  
        response.setHeader("Access-Control-Max-Age", "3600");  
        response.setHeader("Access-Control-Allow-Headers", "x-requested-with, Content-Type");  
        response.setHeader("Access-Control-Allow-Credentials", "true");  
        chain.doFilter(req, res);  
    }  

    public void init(FilterConfig filterConfig) {}  

    public void destroy() {}  

}

2.在web.xml中配置此过滤器:

<filter>  
    <filter-name>CORSFilterfilter-name>  
    <filter-class>com.exiao.platform.api.supplier.filter.CORSFilterfilter-class>  
filter> 

为了防止CSRF攻击:

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        String curOrigin = request.getHeader("Origin");
        LOGGER.info("当前访问来源是:{}", curOrigin);
        // 从列表中获取,可以将数据放入缓存
        if (corsOriginList.contains(curOrigin)) {
            response.setHeader("Access-Control-Allow-Origin", curOrigin);
        } else {
            return ;
        }

        response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "x-requested-with");
        chain.doFilter(req, res);
    }

你可能感兴趣的:(java_web)