在这个实现中:
1、支持配置接收请求的域,配置为 “*” 接受所有域。
2、允许建立基于 cookie 的 session。
3、允许传递自定义的 HTTP 头。
4、正确处理预检请求。
package web.filter;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
@Component
public class CorsFilter extends OncePerRequestFilter {
@Value("${application.cors.allow-origin}")
private String[] allowOrigins;
@Override
public void doFilterInternal(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain)
throws IOException, ServletException {
String origin = request.getHeader("Origin");
boolean isAllowOrigin = false;
for (String allowOrigin : allowOrigins) {
if ("*".equals(allowOrigin)) {
isAllowOrigin = true;
break;
}
if (StringUtils.equals(origin, allowOrigin)) {
isAllowOrigin = true;
break;
}
}
if (isAllowOrigin) {
response.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS,
"true");
response.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
response.setHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS,
"x-auth-token");
}
// 预检请求
if (HttpMethod.OPTIONS.matches(request.getMethod())) {
response.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS,
"Origin, X-Requested-With, Content-Type, Accept, x-auth-token");
response.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS,
"GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS, TRACE");
response.setHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE, "86400");
return;
}
filterChain.doFilter(request, response);
}
}