服务端
/**
* 请求头自定义字段
*/
public final static String DEFAULT_CORS_HEADER_NAME = "Authorization,Content-Type,XFILENAME,XFILECATEGORY,XFILESIZE,time";
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) {
HttpServletResponse response = (HttpServletResponse) res;
HttpServletRequest request = (HttpServletRequest) req;
// 跨域设置,这里的*无效,故使用request.getHeader("Origin")
response.setHeader("Access-Control-Allow-Origin", request.getHeader("Origin"));
response.setHeader("Access-Control-Allow-Credentials", "true");
//允许请求方式
response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
//需要放行header头部字段 如需鉴权字段,自行添加,如Authorization
response.setHeader("Access-Control-Allow-Headers", CommonConst.DEFAULT_CORS_HEADER_NAME);
// 如不做限制,
//response.setHeader("Access-Control-Allow-Headers", "x-requested-with,content-type");
//放行sessionId
response.setHeader("Access-Control-Expose-Headers", "sessionId");
try {
chain.doFilter(request, response);
} catch (Exception e) {
}
}
自定义配置时,需注意w3c规定,当请求的header匹配以下不安全字符时,将被终止
Accept-Charset
Accept-Encoding
Connection
Content-Length
Cookie
Cookie2
Content-Transfer-Encoding
Date
Expect
Host
Keep-Alive
Referer
TE
Trailer
Transfer-Encoding
Upgrade
User-Agent
Via
客户端
//axios请求拦截
instance.interceptors.request.use(
config => {
let time = new Date();
config.headers["Authorization"] = '';
config.headers['time'] = time;
return config;
},
error => {
return Promise.reject(error);
}
);