跨域访问是浏览器的限制,服务端是没有任何限制的。很多种解决方案,如过滤器,springmvc解决方案,ngix,apache解决方案。
1.过滤器解决方案
在web.xml中新增配置
<!-- 表示允许跨域访问 -->
<filter>
<filter-name>accessControlAllowOriginFilter</filter-name>
<filter-class>com.pangu.mss.filter.AccessControlAllowOriginFilter</filter-class>
<init-param>
<param-name>allowOrigin</param-name>
<param-value>*</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>accessControlAllowOriginFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
过滤器代码如下:
import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.slf4j.Logger; import org.slf4j.LoggerFactory; public class AccessControlAllowOriginFilter implements Filter { private static final Logger LOG = LoggerFactory.getLogger(AccessControlAllowOriginFilter.class); private FilterConfig config; private String allowOrigin="*"; /** * Access-Control-Allow-Origin 所允许访问的跨源域名,如www.example.com Access-Control-Allow-Methods 所允许访问的方法, post,put, get ,delete, options Access-Control-Allow-Credentials 布尔值,是否允许浏览器发送cookie Access-Control-Allow-Headers 允许浏览器request header中带的头部值 */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest httpServletRequest = ((HttpServletRequest) request); HttpServletResponse httpServletResponse = (HttpServletResponse) response; if("*".equals(allowOrigin)) { httpServletResponse.setHeader("Access-Control-Allow-Origin", httpServletRequest.getHeader("Origin")); } //httpServletResponse.setHeader("Access-Control-Allow-Origin", "*"); // httpServletResponse.addHeader("Access-Control-Allow-Origin",allowOrigin); // httpServletResponse.addHeader("Access-Control-Allow-Methods","post,put, get ,delete, options"); httpServletResponse.addHeader("Access-Control-Allow-Credentials","true"); httpServletResponse.setHeader("Access-Control-Allow-Methods", "POST,GET,OPTIONS,PUT,DELETE"); httpServletResponse.setHeader("Access-Control-Max-Age", "3600"); httpServletResponse.setHeader("Access-Control-Allow-Headers", "X-Requested-With,Content-Type,sso-token,sys-token"); /** * * OPTIONS 方法比较少见,该方法用于请求服务器告知其支持哪些其他的功能和方法。 * 通过 OPTIONS 方法,可以询问服务器具体支持哪些方法,或者服务器会使用什么样的方法来处理一些特殊资源。可以说这是一个探测性的方法,客户端通过该方法可以在不访问服务器上实际资源的情况下就知道处理该资源的最优方式。 * OPTIONS 方法在跨域请求(CORS)中的应用 * 客户端发起的这个 OPTIONS 可以说是一个“预请求”,用于探测后续真正需要发起的跨域 POST 请求对于服务器来说是否是安全可接受的,因为跨域提交数据对于服务器来说可能存在很大的安全问题。 */ if("OPTIONS".equalsIgnoreCase(httpServletRequest.getMethod())){ //服务器成功处理了请求,但没有返回任何内容。 httpServletResponse.setStatus(204); return; } filterChain.doFilter(httpServletRequest, httpServletResponse); } /** * */ public void init(FilterConfig config) throws ServletException { this.config = config; allowOrigin=this.config.getInitParameter("allowOrigin"); LOG.debug("httpServletResponse.addHeader(\"Access-Control-Allow-Origin\","+allowOrigin+");"); } @Override public void destroy() { // TODO Auto-generated method stub } }
2.springMvc解决方案:
基于注解:
@CrossOrigin public abstract class BaseController { }
基于配置:
<mvc:cors>
<mvc:mapping path="*" allowed-origins="" max-age="3600" allowed-methods="*" allowed-headers="X-Requested-With,Content-Type,sso-token,sys-token" allow-credentials="true"/>
</mvc:cors>
以上两种解决跨域访问的方式是相同的