Tomcat服务器解决跨域问题解决方式

最新推荐文章于 2024-04-22 13:41:54 发布
最新推荐文章于 2024-04-22 13:41:54 发布
阅读量3.4k 收藏 9
点赞数
分类专栏: # Tomcat 文章标签: tomcat
原文链接:https://blog.csdn.net/zhouzhiwengang/article/details/101026217
版权

错误信息

Access to XMLHttpRequest at 'http://localhost:8080/am/amlogin' from origin 'http://127.0.0.1:38080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource

解决步骤

第一步

https://mvnrepository.com上查询并下载

java-property-utils-1.9.1.jar,cors-filter-2.4.jar

这两个库文件,放到tomcat lib目录下Eg:(E:\apache-tomcat\lib)。

第二步

在web.xml文件中添加如下配置(E:\apache-tomcat\conf\web.xml):

 <filter>
       <filter-name>CORS</filter-name>
       <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
       <init-param>
        <param-name>cors.allowOrigin</param-name>
           <param-value>*</param-value>
       </init-param>
       <init-param>
        <param-name>cors.supportedMethods</param-name>
           <param-value>GET, POST, HEAD, PUT, DELETE</param-value>
       </init-param>
       <init-param>
        <param-name>cors.supportedHeaders</param-name>
           <param-value>Accept, Origin, X-Requested-With, Content-Type, Last-Modified</param-value>
       </init-param>
       <init-param>
           <param-name>cors.exposedHeaders</param-name>
           <param-value>Set-Cookie</param-value>
       </init-param>
       <init-param>
           <param-name>cors.supportsCredentials</param-name>
           <param-value>true</param-value>
       </init-param>
   </filter>
 
   <filter-mapping>
       <filter-name>CORS</filter-name>
       <url-pattern>/*</url-pattern>
   </filter-mapping>

附件

java-property-utils-1.9.1.jar,cors-filter-2.4.jar

链接:https://pan.baidu.com/s/1tovoKgIOwXAEnkU_2H2dcQ 
提取码:6l3p

以上方式 我试了 没用

Spring boot 添加过滤器 

CrosXssFilter
import com.alibaba.fastjson.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Arrays;

/**
 * 跨域:由于浏览器的安全性限制,不允许AJAX访问 协议不同、域名不同、端口号不同的 数据接口;
 * 前后端都需要设置允许跨域
 */
@WebFilter(urlPatterns = "/*")
public class CrosXssFilter implements Filter {
    // 多个跨域域名设置 这里一定要配置跨域地址
    public static final String[] ALLOW_DOMAIN = {"http://localhost:80","http://localhost:8080","http://127.0.0.1:38080",
            "http://localhost:8090", "http://localhost:8081"};
    private static final Logger logger = LoggerFactory.getLogger(CrosXssFilter.class);

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response,
                         FilterChain chain) throws IOException, ServletException {
        request.setCharacterEncoding("utf-8");
        response.setContentType("text/html;charset=utf-8");
        //跨域设置
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse res = (HttpServletResponse) response;
        String originHeader = req.getHeader("Origin");
        if (Arrays.asList(ALLOW_DOMAIN).contains(originHeader)) {
            //通过在响应 header 中设置 ‘*’ 来允许来自所有域的跨域请求访问。
            res.setHeader("Access-Control-Allow-Origin", originHeader);
           //通过对 Credentials 参数的设置,就可以保持跨域 Ajax 时的 Cookie
            //设置了Allow-Credentials,Allow-Origin就不能为*,需要指明具体的url域
            res.setHeader("Access-Control-Allow-Credentials", "true");
            //请求方式
            res.setHeader("Access-Control-Allow-Methods", "*");
            //(预检请求)的返回结果(即 Access-Control-Allow-Methods 和Access-Control-Allow-Headers 提供的信息) 可以被缓存多久
            res.setHeader("Access-Control-Max-Age", "86400");
            //首部字段用于预检请求的响应。其指明了实际请求中允许携带的首部字段
            //res.setHeader("Access-Control-Allow-Headers", "*");
            res.setHeader("Access-Control-Allow-Headers", "Timestamp,Origin, No-Cache, X-Requested-With, If-Modified-Since, Pragma, Last-Modified, Cache-Control, Expires, Content-Type, X-E4M-With,userId,token,Access-Control-Allow-Headers");
        }
        //sql,xss过滤
        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
        Cookie[] cookies =  httpServletRequest.getCookies();
        logger.info(".......sessionid:{},session:{}",httpServletRequest.getSession().getId(), JSONObject.toJSONString(httpServletRequest.getSession().getAttributeNames()));
        logger.info(".......,cookie:{}",JSONObject.toJSONString(httpServletRequest.getCookies()));

        logger.info("CrosXssFilter.......orignal url:{},ParameterMap:{}", httpServletRequest.getRequestURI(), JSONObject.toJSONString(httpServletRequest.getParameterMap()));
        XssHttpServletRequestWrapper xssHttpServletRequestWrapper = new XssHttpServletRequestWrapper(
                httpServletRequest);
        chain.doFilter(xssHttpServletRequestWrapper, response);
        logger.info("CrosXssFilter..........doFilter url:{},ParameterMap:{}", xssHttpServletRequestWrapper.getRequestURI(), JSONObject.toJSONString(xssHttpServletRequestWrapper.getParameterMap()));
    }

    @Override
    public void destroy() {

    }

}

XssHttpServletRequestWrapper
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.StringUtils;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;

/**
 * 防止sql注入,xss攻击
 * 前端可以对输入信息做预处理,后端也可以做处理。
 */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    private final Logger log = LoggerFactory.getLogger(getClass());
    private static String key = "and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|;|or|-|+";
    private static Set<String> notAllowedKeyWords = new HashSet<String>(0);
    private static String replacedString="INVALID";
    static {
        String keyStr[] = key.split("\\|");
        for (String str : keyStr) {
            notAllowedKeyWords.add(str);
        }
    }

    private String currentUrl;

    public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {
        super(servletRequest);
        currentUrl = servletRequest.getRequestURI();
    }


    /**覆盖getParameter方法,将参数名和参数值都做xss过滤。
     * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取
     * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
     */
    @Override
    public String getParameter(String parameter) {
        String value = super.getParameter(parameter);
        if (value == null) {
            return null;
        }
        return cleanXSS(value);
    }
    @Override
    public String[] getParameterValues(String parameter) {
        String[] values = super.getParameterValues(parameter);
        if (values == null) {
            return null;
        }
        int count = values.length;
        String[] encodedValues = new String[count];
        for (int i = 0; i < count; i++) {
            encodedValues[i] = cleanXSS(values[i]);
        }
        return encodedValues;
    }
    @Override
    public Map<String, String[]> getParameterMap(){
        Map<String, String[]> values=super.getParameterMap();
        if (values == null) {
            return null;
        }
        Map<String, String[]> result=new HashMap<>();
        for(String key:values.keySet()){
            String encodedKey=cleanXSS(key);
            int count=values.get(key).length;
            String[] encodedValues = new String[count];
            for (int i = 0; i < count; i++){
                encodedValues[i]=cleanXSS(values.get(key)[i]);
            }
            result.put(encodedKey,encodedValues);
        }
        return result;
    }
    /**
     * 覆盖getHeader方法,将参数名和参数值都做xss过滤。
     * 如果需要获得原始的值,则通过super.getHeaders(name)来获取
     * getHeaderNames 也可能需要覆盖
     */
    @Override
    public String getHeader(String name) {
        String value = super.getHeader(name);
        if (value == null) {
            return null;
        }
        return cleanXSS(value);
    }

    private String cleanXSS(String valueP) {
        // You'll need to remove the spaces from the html entities below
        String value = valueP.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
        value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
        value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
        value = value.replaceAll("'", "& #39;");
        value = value.replaceAll("eval\\((.*)\\)", "");
        value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
        value = value.replaceAll("script", "");
        value = cleanSqlKeyWords(value);
        return value;
    }

    private String cleanSqlKeyWords(String value) {
        String paramValue = value;
        for (String keyword : notAllowedKeyWords) {
            if (paramValue.length() > keyword.length() + 4
                    && (paramValue.contains(" "+keyword)||paramValue.contains(keyword+" ")||paramValue.contains(" "+keyword+" "))) {
                paramValue = StringUtils.replace(paramValue, keyword, replacedString);
                log.error(this.currentUrl + "已被过滤,因为参数中包含不允许sql的关键词(" + keyword
                        + ")"+";参数:"+value+";过滤后的参数:"+paramValue);
            }
        }
        return paramValue;
    }

}

 

丨Anna丨
关注
  • 0
    点赞
  • 9
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
专栏目录
Tomcat解决跨域问题
希爷的博客
08-06 769
在某网站上访问本地Tomcat 8080端口服务,控制台提示“Access to XMLHttpRequest at ' http://localhost:8080/xxx.json' from origin 'http://xxx.com.cn:8090' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.”,这是跨域引起...
tomcat服务器部署项目报跨域问题
木樨
11-19 1692
前言: 项目部署在阿里云的服务器tomcat上,浏览器访问由nginx转发到tomcat服务器。一开始我是在本地idea里面运行,然后在浏览器上测试没有任何问题,但一放到tomcat上运行用https访问就报跨域(因为需要使用到小程序,所以必须得用https),然后找了许久才找到解决办法。解决方法如下: 文章目录在tomcat的 web.xml 文件里边加上跨域支持然后再把以下两个jar包放到tomcat的lib目录下最后重启tomcat就可以 在tomcat的 web.xml 文件里边加上跨域支持 .
java-property-utils-1.9.1.jarjava-property-utils-1.10.jar
06-20
Tomcat 在设置跨域 jar包的二部分,java-property-utils-1.9.1.jarjava-property-utils-1.10.jar
解决 Tomcat 跨域问题 - Tomcat 配置静态文件和 Java Web 服务(Spring MVC Springboot)同时允许跨域
最新发布
linzi19900517的博客
04-22 2245
解决 Tomcat 跨域问题 - Tomcat 配置静态文件和 Java Web 服务(Spring MVC Springboot)同时允许跨域。
from origin 'http://localhost:8080' has been blocked by CORS policy:
热门推荐
Think++
04-03 9万+
1.问题描述 from origin 'http://localhost:8080' has been blocked by CORS policy 2.问题分析 CORS跨域访问错误 3.问题解决 编写一个配置类 package com.demo.config; import org.springframework.context.annotation.Configuratio...
跨域 from origin ‘http://localhost:8080‘ has been blocked by CORS policy: No ‘Access-Control-Allow-Or
qq_33650655的博客
02-22 1万+
跨域 from origin 'http://localhost:8080' has been blocked by CORS policy: No 'Access-Control-Allow-Or
跨域报错解决方法
weixin_44289670的博客
12-10 2965
Access to XMLHttpRequest at ‘http://127.0.0.1:4444/api/v1/index/search’ from origin ‘http://localhost:8080’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the r...
解决跨域has been blocked by CORS policy: No ‘Access-Control-Allow-Origin‘,利用Proxy反向代理
我还起舞了的博客
11-21 3070
我们要配置反向代理的原因是:因为跨域问题我们直接拿不到跟我们不同域名不同端口号下的数据,这是浏览器的跨域限制,我们不能在浏览器上显示后端的数据,但是服务器端没有跨域限制,所以可以让我们自己的服务器(项目运行,会启动一台服务器),去请求后端服务器,拿到数据,然后再传给我们前端。反向代理服务器的应用:往这个接口发请求,被拦截到了,凡是往这个接口发请求的,反向代理服务器,会在前面加上target域名 ,往真实的地址去请求。在vue.config.js文件中进行以下配置proxy,具体配置信息可以看下文。
tomcat服务器配置资源跨域问题
11-09
最近在使用前端调取服务器静态资源的时候,总是报图片跨域的错误,该问题可以通过服务器配置跨域权限来解决。 首先下载cors-filter-2.5.jarjava-property-utils-1.9.1 1、把这两个jar包放在tomcat的lib下。 2、在...
tomcat服务器解决跨域所需jar
04-04
tomcat服务器解决跨域问题所需jar包 cors-filter-1.7.jar java-property-utils-1.9.jar
tomcat服务器的跨域jar
03-31
https://blog.csdn.net/weixin_40902527/article/details/108973417
基于tomcat服务器的跨域处理
10-09
基于tomcat服务器的跨域处理, 包含cors-filter-1.7.jarJava -property-utils-1.9.jar 配置跨域 <!--跨域-->  <groupId>com.thetransactioncompany</groupId>  <artifactId>Java-property-utils  <version>...
Tomcat+Nginx反向代理部署前后端分离项目解决跨域问题
01-27
最近自己做了一个前后端分离项目,前端采用HBuilderX开发,后端采用IDEA开发,在本地开发也跨域,部署到云服务器也跨域,下面介绍两种解决方案。 出于浏览器的同源策略限制。同源策略(Sameoriginpolicy)是一种约定...
Vue2前端请求API数据跨域问题解决
woshinsy的博客
04-11 2745
Access to XMLHttpRequest at 'http://localhost:9090/echarts/members' from origin 'http://localhost:8080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.跨域问题解决
让 axios 请求接口时带上cookie
tangxinzhuan
05-14 2961
import Vue from 'vue' import axios from 'axios' // 让 axios 请求接口时带上cookie axios.defaults.withCredentials = true; Vue.prototype.$axios = axios; ...
vue用axios进行token请求出现has been blocked by CORS policy: No ‘Access-Control-Allow-Origin‘ header的解决方案
FHlang的博客
04-16 3785
遇到的问题 Access to XMLHttpRequest at ‘http://localhost:8081/order/no’ from origin ‘http://localhost:8080’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. 翻译:通过CORS策略已阻止从源"http:// localhost:8080"
from origin ‘http://localhost‘ has been blocked by CORS policy 跨域问题
Ryan_black的博客
12-17 5万+
前后端环境搭好之后测试了一下登录,出了这个毛病,但是上面显示的CORS 我就知道,跨域问题来了. 这个CORS,是一个W3C标准,全称是"跨域资源共享"(Cross-origin resource sharing)需要浏览器和服务器同时支持。 所有浏览器都支持该功能。 服务器的话需要单独配置使用 @CrossOrigin 或 全局配置类 这个@CrossOrigin需要配置在控制器类上 这个全...
origin ‘http://localhost:8080‘ has been blocked by CORS policy: Response to preflight request doesn‘
weixin_42490383的博客
10-25 3181
Uniapp请求后台代码报错, Controller少加了注解 @CrossOrigin 注解作用: https://blog.csdn.net/qq_39205129/article/details/100163502
前后端分离跨域问题解决方案
weixin_44192363的博客
07-19 1732
package com.huaxin.wenjuan.config; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.UrlBasedCorsConf
tomcat解决cors 跨域
06-08
解决Tomcat的CORS跨域问题,可以在Tomcat的安装目录下找到conf文件夹,然后在里面找到web.xml文件。在这个文件中,可以添加如下的过滤器配置来解决CORS问题: ``` <filter> <filter-name>CorsFilter</filter-name> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> <init-param> <param-name>cors.allowed.origins</param-name> <param-value>*</param-value> </init-param> <init-param> <param-name>cors.allowed.methods</param-name> <param-value>GET,POST,HEAD,OPTIONS,PUT,DELETE</param-value> </init-param> <init-param> <param-name>cors.allowed.headers</param-name> <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value> </init-param> </filter> <filter-mapping> <filter-name>CorsFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> ``` 这个过滤器会允许所有的来源(`cors.allowed.origins`),所有的请求方法(`cors.allowed.methods`),所有的请求头(`cors.allowed.headers`)进行跨域访问。如果需要更加精细的配置,可以根据实际情况修改这些参数的值。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值