用Java过滤器实现跨域资源共享 CORS

原理解析

原理篇，主要还是要学习阮一峰的 跨域资源共享 CORS 详解

代码实现

使用 过滤器来实现。

import org.springframework.stereotype.Component;
import org.springframework.web.bind.annotation.RequestMethod;

import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

/**
 * 跨域请求过滤器
 */
@Component
@WebFilter("/")
public class CrossFilter implements Filter {
    private static final String ORIGIN = "Origin";

    private static final String REFERER = "Referer";

    private static final String TRUE = "true";

    private static final String CACHE_86400 = "86400";

    private static final String ACCESS_CONTROL_ALLOW_ORIGIN = "Access-Control-Allow-Origin";

    private static final String ACCESS_CONTROL_ALLOW_CREDENTIALS = "Access-Control-Allow-Credentials";

    private static final String ACCESS_CONTROL_REQUEST_METHOD = "Access-Control-Request-Method";

    private static final String ACCESS_CONTROL_REQUEST_HEADERS = "Access-Control-Request-Headers";

    private static final String ACCESS_CONTROL_MAX_AGE = "Access-Control-Max-Age";

    private static final String ACCESS_CONTROL_ALLOW_METHODS = "Access-Control-Allow-Methods";

    private static final String ACCESS_CONTROL_ALLOW_HEADERS = "Access-Control-Allow-Headers";

    @Override
    public void init(FilterConfig filterConfig) {
        //do something
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        // 解决跨域请求问题
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse resp = (HttpServletResponse) response;
        String origin = req.getHeader (ORIGIN);
        if (origin == null) {
            origin = req.getHeader (REFERER);
        }
        // 允许指定域访问跨域资源
        setHeader (resp, ACCESS_CONTROL_ALLOW_ORIGIN, origin);
        // 允许客户端携带跨域cookie，此时origin值不能为“*”，只能为指定单一域名
        setHeader (resp, ACCESS_CONTROL_ALLOW_CREDENTIALS, TRUE);
        if (RequestMethod.OPTIONS.toString ().equals (req.getMethod ())) {
            String allowMethod = req.getHeader (ACCESS_CONTROL_REQUEST_METHOD);
            String allowHeaders = req.getHeader (ACCESS_CONTROL_REQUEST_HEADERS);
            // 浏览器缓存预检请求结果时间,单位:秒
            setHeader (resp, ACCESS_CONTROL_MAX_AGE, CACHE_86400);
            // 允许浏览器在预检请求成功之后发送的实际请求方法名
            setHeader (resp, ACCESS_CONTROL_ALLOW_METHODS, allowMethod);
            // 允许浏览器发送的请求消息头
            setHeader (resp, ACCESS_CONTROL_ALLOW_HEADERS, allowHeaders);
            return;
        }
        chain.doFilter (request, response);
    }

    private void setHeader(HttpServletResponse resp, String key, String value) {
        resp.setHeader (key, value);
    }

    @Override
    public void destroy() {
        //do someThing
    }
}