REST跨域访问解决CorsFilter

调用rest接口,前台异常信息:
XMLHttpRequest cannot load http://127.0.0.1:8080/rest/users.
No ‘Access-Control-Allow-Origin’ header is present on the requested resource.
Origin ‘http://127.0.0.1’ is therefore not allowed access.

JavaScript出于安全方面的考虑,不允许跨域调用其他页面的对象。但在安全限制的同时也给注入iframe或是ajax应用上带来了不少麻烦。这里把涉及到跨域的一些问题简单地整理一下:首先什么是跨域,
简单地理解就是因为JavaScript同源策略的限制,a.com 域名下的js无法操作b.com或是c.a.com域名下的对象。更详细的说明可以看下表:
URL 说明 是否允许通信
http://www.a.com/a.js
http://www.a.com/b.js 同一域名下 允许

http://www.a.com/lab/a.js
http://www.a.com/script/b.js 同一域名下不同文件夹 允许

http://www.a.com:8000/a.js
http://www.a.com/b.js 同一域名,不同端口 不允许

http://www.a.com/a.js
https://www.a.com/b.js 同一域名,不同协议 不允许

http://www.a.com/a.js
http://70.32.92.74/b.js 域名和域名对应ip 不允许

http://www.a.com/a.js
http://script.a.com/b.js 主域相同,子域不同 不允许

http://www.a.com/a.js
http://a.com/b.js 同一域名,不同二级域名(同上) 不允许(cookie这种情况下也不允许访问)

http://www.cnblogs.com/a.js
http://www.a.com/b.js 不同域名 不允许

特别注意两点:
第一,如果是协议和端口造成的跨域问题“前台”是无能为力的,
第二:在跨域问题上,域仅仅是通过“URL的首部”来识别而不会去尝试判断相同的ip地址对应着两个域或两个域是否在同一个ip上。
“URL的首部”指window.location.protocol +window.location.host,也可以理解为“Domains, protocols and ports must match”。

web.xml

 <filter>
 <filter-name>CorsFilter</filter-name>
 <filter-class>com.wizincloud.filter.CORSFilter</filter-class>
 </filter>

 <filter-mapping>
 <filter-name>CorsFilter</filter-name>
 <url-pattern>/*</url-pattern>
 </filter-mapping>

CORSFilter

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;


/** * 解决Rest接口调用过程中,跨域访问问题 * @author 刘彦亮 * @version 1.0 */
public class CORSFilter implements Filter {
 public CORSFilter() {
 }


 public void doFilter(ServletRequest request, ServletResponse response,
 FilterChain chain) throws IOException, ServletException {


 HttpServletResponse httpServletResponse = (HttpServletResponse) response;


 httpServletResponse.setHeader("Access-Control-Allow-Origin", "*");


 httpServletResponse
 .setHeader(
 "Access-Control-Allow-Headers",
 "User-Agent,Origin,Cache-Control,Content-type,Date,Server,withCredentials,AccessToken");


 httpServletResponse.setHeader("Access-Control-Allow-Credentials",
 "true");


 httpServletResponse.setHeader("Access-Control-Allow-Methods",
 "GET, POST, PUT, DELETE, OPTIONS, HEAD");


 httpServletResponse.setHeader("Access-Control-Max-Age", "1209600");


 httpServletResponse.setHeader("Access-Control-Expose-Headers",
 "accesstoken");


 httpServletResponse.setHeader("Access-Control-Request-Headers",
 "accesstoken");


 httpServletResponse.setHeader("Expires", "-1");


 httpServletResponse.setHeader("Cache-Control", "no-cache");


 httpServletResponse.setHeader("pragma", "no-cache");


 chain.doFilter(request, response);


 }


 public void init(FilterConfig fConfig) throws ServletException {


 }


 public void destroy() {
 }


}

你可能感兴趣的:(web.xml,REST)