关于跨域问题 就不多介绍了!
针对跨域问题的解决方式(这里就简单说一下第一种):
CORS是一个W3C标准,全称是"跨域资源共享"(Cross-origin resource sharing)。它允许浏览器向跨源服务器,发出XMLHttpRequest请求,从而克服了AJAX只能同源使用的限制。
基本上目前所有的浏览器都实现了CORS标准,其实目前几乎所有的浏览器ajax请求都是基于CORS机制的,只不过可能平时前端开发人员并不关心而已(所以说其实现在CORS解决方案主要是考虑后台该如何实现的问题)。
都能解决 Ajax直接请求普通文件存在跨域无权限访问的问题
这里使用CORS最简单的一种
@Bean
public FilterRegistrationBean registFilter() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setFilter(new Filter() {
public void init(FilterConfig filterConfig) throws ServletException {
log.info("过滤器init!");
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
allowCrossAccess((HttpServletRequest)request, (HttpServletResponse)response);
// 判断是否是预请求 OPTIONS 是则放行
if((boolean) ((HttpServletRequest) request).getMethod().equals("OPTIONS")){
System.out.println(((HttpServletRequest) request).getMethod());
((HttpServletResponse) response).setStatus(HttpStatus.OK.value());
return;
}
chain.doFilter(request, response);
}
public void destroy() {
// TODO Auto-generated method stub
log.info("过滤器destroy!");
}
});
return registration;
}
protected void allowCrossAccess(HttpServletRequest request,HttpServletResponse response) {
String allowOrigin = "*";
// String allowOrigin = request.getHeader("Origin");
String allowMethods = "GET,PUT,OPTIONS,POST,DELETE";
String allowHeaders = "authorization,Origin,No-Cache, X-Requested-With, If-Modified-Since, Pragma, Last-Modified,Cache-Control, Expires, Content-Type, X-E4M-With";
response.addHeader("Access-Control-Allow-Credentials", "true");
response.addHeader("Access-Control-Allow-Headers", allowHeaders);
response.addHeader("Access-Control-Allow-Methods", allowMethods);
response.addHeader("Access-Control-Allow-Origin", allowOrigin);
response.addHeader("Access-Control-Max-Age", "1800");//30 min
}
这里是一个nginx启用COSR的参考配置:来源
#
# Wide-open CORS config for nginx
#
location / {
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
#
# Custom headers and headers various browsers *should* be OK with but aren't
#
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
#
# Tell client that this pre-flight info is valid for 20 days
#
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
}
因为知道已经有可以用的库可以解决,所以就没重复造轮子了。其实因为懒,看看别人的源码算了。。。
在mvnrepository搜索cors-filter,目前也就两个可以用
这两个也都大同小异,因为ebay开源在github上,也有详细的README,那么就以ebay的cors-filter为例
配置
添加依赖包到项目:
org.ebaysf.web
cors-filter
1.0.1
添加配置(具体配置项,还是见项目的README.md吧)
CORS Filter
org.ebaysf.web.cors.CORSFilter
cors.allowed.origins
http://192.168.56.129,http://192.168.56.130
cors.allowed.methods
GET,POST,HEAD,OPTIONS,PUT
cors.allowed.headers
Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers
CORS Filter
/*
后面的第二、第三 转自 http://www.cnblogs.com/sloong/p/cors.html
本文发布后,无意看到一篇文章,这里贴一下整理的相关跨域问题,比较详细(推荐)
https://segmentfault.com/a/1190000012469713?utm_source=tag-newest