JAVA Web project cross-domain

Cors cross-Domain Request control method

1.http Request Header

Origin: A normal HTTP request will also be provided, which is used specifically as Origin information for the back-end alignment in Cors, indicating the source domain.

Access-control-request-method: The next method of request, such as put, delete, etc.

Access-control-request-headers: Custom headers, all headers set with the setRequestHeader method will be included in this header in a comma-separated form

2.http Response Head

The browser then determines whether to send a non-simple request based on the return value of the server. The simple request was preceded by a direct send, but adding an Origin field indicates the origin of the cross-domain request. After the server finishes processing the request, it returns the result with the following control field

Access-control-allow-origin: A domain that allows cross-domain access, either as a list of domains or as a wildcard "*". Note here that the origin rule is only valid for the domain name and is not valid for the subdirectory. That is, http://foo.example/subdir/is invalid. But different subdomains need to be set separately, here the rules can refer to the same-origin policy

Access-control-allow-credentials: Whether to allow request with authentication information,

Access-control-expose-headers: Allows the script to access the return header, after the request succeeds, the script can be

Access-control-max-age: The number of seconds to cache this request. In this timeframe, all requests of the same type will no longer send a preflight request, but use the returned header directly as a basis for judging, which is very useful to greatly optimize the number of requests

Access-control-allow-methods: Allowed request methods, separated by commas

Access-control-allow-headers: Allow custom headers, separated by commas, case insensitive

If the program ape lazy set Access-control-allow-origin to: access-control-allow-origin: * Allow any cross-domain requests from any domain, so long there is the possibility of DDoS attacks.

Implementation method:

1, nginx configuration file configuration:

server {

Location/{

if ($request _method = ' OPTIONS ') {

Add_header ' Access-control-allow-origin ' *;

Add_header ' access-control-allow-credentials ' true ';

Add_header ' Access-control-allow-methods ' GET, POST, OPTIONS ';

Add_header ' Access-control-allow-headers ' Dnt,x-mx-reqtoken,keep-alive,user-agent,x-requested-with, If-modified-since,cache-control,content-type ';

# add_header ' access-control-max-age ' 3600;

Add_header ' Content-type ' Text/plain charset=utf-8 ';

Add_header ' content-length ' 0;

return 200;

}

}

Method 2: Add the Cors-filter-1.7.jar,java-property-utils-1.9.jar 2 jar packages directly to Lib in the Tomcat installation directory, and the Web. XML for the Business Project Configure the filter configuration file that you want to apply:

<filter>

<filter-name>CORS</filter-name>

<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>

<init-param>

<param-name>cors.allowOrigin</param-name>

<param-value>*</param-value>

</init-param>

<init-param>

<param-name>cors.supportedMethods</param-name>

<param-value>GET,POST,HEAD,PUT,DELETE</param-value>

</init-param>

<init-param>

<param-name>cors.supportedHeaders</param-name>

<param-value>Accept,Origin,X-Requested-With,Content-Type,Last-Modified</param-value>

</init-param>

<init-param>

<param-name>cors.exposedHeaders</param-name>

<param-value>Set-Cookie</param-value>

</init-param>

<init-param>

<param-name>cors.supportsCredentials</param-name>

<param-value>true</param-value>

</init-param>

</filter>

<filter-mapping>

<filter-name>CORS</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

Method 3: Write your own filter class and configure the desired XML file yourself in the Business Project configuration Web.

For example: Java class filter:

public class Corsfilter implements filter{

@Override

public void init (Filterconfig filterconfig) throws Servletexception {

TODO auto-generated Method Stub

}

@Override

public void DoFilter (ServletRequest request, servletresponse response, Filterchain chain) throws IOException,

servletexception {

TODO auto-generated Method Stub

HttpServletResponse res = (httpservletresponse) response;

Res.setcontenttype ("Text/html;charset=utf-8");

Res.setheader ("Access-control-allow-origin", "*");

Res.setheader ("Access-control-allow-methods", "POST, GET, OPTIONS, DELETE");

Res.setheader ("Access-control-max-age", "0");

Res.setheader ("Access-control-allow-headers", "Origin, No-cache, X-requested-with, If-modified-since, Pragma, Last-modified, Cache-control, Expires, Content-type, X-e4m-with,userid,token ");

Res.setheader ("Access-control-allow-credentials", "true");

Res.setheader ("xdomainrequestallowed", "1");

Chain.dofilter (request, response);

}

@Override

public void Destroy () {

TODO auto-generated Method Stub

}

}

The Web. XML configuration in the Business Project is as follows:

<filter>

<filter-name>cors</filter-name>

<filter-class>com.tianlong.common.base.CorsFilter</filter-class>

</filter>

<filter-mapping>

<filter-name>cors</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

PS: If the above has not been able to achieve cross-domain requests, then check whether the firewall allows the request to pass!

JAVA Web project cross-domain