Cors cross-Domain Request control method
1.http Request Header
Origin: A normal HTTP request will also be provided, which is used specifically as Origin information for the back-end alignment in Cors, indicating the source domain.
Access-control-request-method: The next method of request, such as put, delete, etc.
Access-control-request-headers: Custom headers, all headers set with the setRequestHeader method will be included in this header in a comma-separated form
2.http Response Head
The browser then determines whether to send a non-simple request based on the return value of the server. The simple request was preceded by a direct send, but adding an Origin field indicates the origin of the cross-domain request. After the server finishes processing the request, it returns the result with the following control field
Access-control-allow-origin: A domain that allows cross-domain access, either as a list of domains or as a wildcard "*". Note here that the origin rule is only valid for the domain name and is not valid for the subdirectory. That is, http://foo.example/subdir/is invalid. But different subdomains need to be set separately, here the rules can refer to the same-origin policy
Access-control-allow-credentials: Whether to allow request with authentication information,
Access-control-expose-headers: Allows the script to access the return header, after the request succeeds, the script can be
Access-control-max-age: The number of seconds to cache this request. In this timeframe, all requests of the same type will no longer send a preflight request, but use the returned header directly as a basis for judging, which is very useful to greatly optimize the number of requests
Access-control-allow-methods: Allowed request methods, separated by commas
Access-control-allow-headers: Allow custom headers, separated by commas, case insensitive
If the program ape lazy set Access-control-allow-origin to: access-control-allow-origin: * Allow any cross-domain requests from any domain, so long there is the possibility of DDoS attacks.
Implementation method:
1, nginx configuration file configuration:
server {
Location/{
if ($request _method = ' OPTIONS ') {
Add_header ' Access-control-allow-origin ' *;
Add_header ' access-control-allow-credentials ' true ';
Add_header ' Access-control-allow-methods ' GET, POST, OPTIONS ';
Add_header ' Access-control-allow-headers ' Dnt,x-mx-reqtoken,keep-alive,user-agent,x-requested-with, If-modified-since,cache-control,content-type ';
# add_header ' access-control-max-age ' 3600;
Add_header ' Content-type ' Text/plain charset=utf-8 ';
Add_header ' content-length ' 0;
return 200;
}
}
Method 2: Add the Cors-filter-1.7.jar,java-property-utils-1.9.jar 2 jar packages directly to Lib in the Tomcat installation directory, and the Web. XML for the Business Project Configure the filter configuration file that you want to apply:
<filter>
<filter-name>CORS</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
<init-param>
<param-name>cors.allowOrigin</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.supportedMethods</param-name>
<param-value>GET,POST,HEAD,PUT,DELETE</param-value>
</init-param>
<init-param>
<param-name>cors.supportedHeaders</param-name>
<param-value>Accept,Origin,X-Requested-With,Content-Type,Last-Modified</param-value>
</init-param>
<init-param>
<param-name>cors.exposedHeaders</param-name>
<param-value>Set-Cookie</param-value>
</init-param>
<init-param>
<param-name>cors.supportsCredentials</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CORS</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Method 3: Write your own filter class and configure the desired XML file yourself in the Business Project configuration Web.
For example: Java class filter:
public class Corsfilter implements filter{
@Override
public void init (Filterconfig filterconfig) throws Servletexception {
TODO auto-generated Method Stub
}
@Override
public void DoFilter (ServletRequest request, servletresponse response, Filterchain chain) throws IOException,
servletexception {
TODO auto-generated Method Stub
HttpServletResponse res = (httpservletresponse) response;
Res.setcontenttype ("Text/html;charset=utf-8");
Res.setheader ("Access-control-allow-origin", "*");
Res.setheader ("Access-control-allow-methods", "POST, GET, OPTIONS, DELETE");
Res.setheader ("Access-control-max-age", "0");
Res.setheader ("Access-control-allow-headers", "Origin, No-cache, X-requested-with, If-modified-since, Pragma, Last-modified, Cache-control, Expires, Content-type, X-e4m-with,userid,token ");
Res.setheader ("Access-control-allow-credentials", "true");
Res.setheader ("xdomainrequestallowed", "1");
Chain.dofilter (request, response);
}
@Override
public void Destroy () {
TODO auto-generated Method Stub
}
}
The Web. XML configuration in the Business Project is as follows:
<filter>
<filter-name>cors</filter-name>
<filter-class>com.tianlong.common.base.CorsFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>cors</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
PS: If the above has not been able to achieve cross-domain requests, then check whether the firewall allows the request to pass!
JAVA Web project cross-domain