跨域:
话不多说,按跨域资源共享(CORS)的配置说明,参数Access-Control-Allow-Origin的值要么是通配符(*),要么是指定的固定域名.查看spring源码,发现也是只处理了这两种情况,如下:
public String checkOrigin(String requestOrigin) {
if (!StringUtils.hasText(requestOrigin)) {
return null;
}
if (ObjectUtils.isEmpty(this.allowedOrigins)) {
return null;
}
//为*的情况
if (this.allowedOrigins.contains(ALL)) {
if (this.allowCredentials != Boolean.TRUE) {
return ALL;
}
else {
return requestOrigin;
}
}
for (String allowedOrigin : this.allowedOrigins) {
//全匹配
if (requestOrigin.equalsIgnoreCase(allowedOrigin)) {
return requestOrigin;
}
}
return null;
}
因此需要自定义实现某一部分域名跨域,方法下面写了2种.
1.修改nginx:
server {
root /path/to/your/stuff;
index index.html index.htm;
set $match “”;
if ($http_origin ~* (.*\.yourdomain.com)) {
set $match “true”;
}
server_name yoursweetdomain.com;
location / {
if ($match = “true”) {
add_header ‘Access-Control-Allow-Origin’ “$http_origin”;
add_header ‘Access-Control-Allow-Methods’ ‘GET, POST, OPTIONS, DELETE, PUT’;
add_header ‘Access-Control-Allow-Credentials’ ‘true’;
add_header ‘Access-Control-Allow-Headers’ ‘User-Agent,Keep-Alive,Content-Type’;
}
if ($request_method = OPTIONS) {
return 204;
}
}
}
2.从java应用端的Filter入手:
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.regex.Pattern;
/**
* Created by breeze on 2016/8/26.
*/
@Component
public class CORSFilter implements Filter {
private static final Logger log = LoggerFactory.getLogger(Filter.class);
@Value("${origins}")
private String origins;
@Override
public void init(FilterConfig filterConfig) {
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
HttpServletRequest request = (HttpServletRequest) req;
String origin = request.getHeader("Origin");
if (null != origin){
String[] split = origins.split(",");
for (int i = 0; i < split.length; i++) {
String ori = split[i];
//正则匹配
if (Pattern.matches(ori, origin)) {
response.setHeader("Access-Control-Allow-Origin", origin);
break;
}
}
}
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS,PUT,DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Credentials", "true");
//header不能丢
response.setHeader("Access-Control-Allow-Headers", request.getHeader("Access-Control-Request-Headers"));
if ( request.getMethod().equals("OPTIONS") ) {
response.setStatus(HttpServletResponse.SC_OK);
return;
}
chain.doFilter(request, response);
}
@Override
public void destroy() {
}
}
其中origins为yml配置:
origins: .*.baidu.com,.*.sougou.com,.*.aaa.com