解决前后端分离跨域问题和session不一致
说明
最近遇和同学一起开发一个课程的作业,我写后台,他写前端(前后端分离),遇到一个问题就是过滤器过滤未登陆的请求时,因为跨域问题和session不一致的问题,导致每次访问session不一样,所以把登陆信息存在session中就达不到想要的效果,经过几个小时的摸索,和借鉴网上的方法终于解决了问题,这里只是做个笔记,希望可以帮到需要的人。
原文地址:(http://www.cnblogs.com/xjbBill/p/8278032.html)
(http://www.cnblogs.com/zeng1994/)
自定义过滤器(filter)
public class CORSFilter implements Filter {
private boolean isCross = false;
private String excludedPaths = null;
private String [] excludedPathArray;
@Override
public void destroy() {
isCross = false;
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
// 判断是否是直接放行的请求
if (!isFilterExcludeRequest(httpServletRequest)) {
if (isCross) {
httpServletResponse.setHeader("Access-Control-Allow-Origin", httpServletRequest.getHeader("origin"));
httpServletResponse.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
httpServletResponse.setHeader("Access-Control-Max-Age", "0");
httpServletResponse.setHeader("Access-Control-Allow-Headers",
"Origin, No-Cache, X-Requested-With, If-Modified-Since, Pragma, Last-Modified, Cache-Control, Expires, Content-Type, X-E4M-With,userId,token");
httpServletResponse.setHeader("Access-Control-Allow-Credentials", "true");
httpServletResponse.setHeader("XDomainRequestAllowed", "1");
}
}
chain.doFilter(request, response);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
String isCrossStr = filterConfig.getInitParameter("IsCross");
isCross = isCrossStr.equals("true") ? true : false;
excludedPaths = filterConfig.getInitParameter("excludedPaths");
if(!StringUtils.isEmpty(excludedPaths)){
excludedPathArray = excludedPaths.split(",");
}
}
private boolean isFilterExcludeRequest(HttpServletRequest request) {
if(null != excludedPathArray && excludedPathArray.length > 0) {
String url = request.getRequestURI();
for (String ecludedUrl : excludedPathArray) {
if (ecludedUrl.startsWith("*.")) {
// 如果配置的是后缀匹配, 则把前面的*号干掉,然后用endWith来判断
if(url.endsWith(ecludedUrl.substring(1))){
return true;
}
} else if (ecludedUrl.endsWith("/*")) {
if(!ecludedUrl.startsWith("/")) {
// 前缀匹配,必须要是/开头
ecludedUrl = "/" + ecludedUrl;
}
// 如果配置是前缀匹配, 则把最后的*号干掉,然后startWith来判断
String prffixStr = request.getContextPath() + ecludedUrl.substring(0, ecludedUrl.length() - 1);
if(url.startsWith(prffixStr)) {
return true;
}
} else {
// 如果不是前缀匹配也不是后缀匹配,那就是全路径匹配
if(!ecludedUrl.startsWith("/")) {
// 全路径匹配,也必须要是/开头
ecludedUrl = "/" + ecludedUrl;
}
String targetUrl = request.getContextPath() + ecludedUrl;
if(url.equals(targetUrl)) {
return true;
}
}
}
}
return false;
}
}
web.xml配置自定义的filter
<!-- 跨域请求 -->
<filter>
<filter-name>CORSFilter</filter-name>
<filter-class>com.guyue.util.CORSFilter</filter-class>
<init-param>
<param-name>IsCross</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<!-- 过滤掉静态资源 -->
<param-name>excludedPaths</param-name>
<param-value>/resource/*,/img/*,*.html,*.js,*.jsp</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CORSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
前端ajax请求添加内容
xhrFields: {
withCredentials: true
},
注意
filter的如下配置不能用*不然前端访问会报错!
httpServletResponse.setHeader("Access-Control-Allow-Origin", "*");
改成这样,动态获取
httpServletResponse.setHeader("Access-Control-Allow-Origin", httpServletRequest.getHeader("origin"));
完美解决。