ajax跨域登录:
系统权限安全框架使用shiro,系统登录时发送ajax请求调用springmvc action方法进行系统登录及身份认证,角色权限授权等。由于ajax请求时,浏览器会认为携带Cookie是不安全请求,将限制其携带Cookie信息,导致登录action方法无法获取并响应相应的Cookie(JSESSIONID),身份认证及角色权限授权、退出等都操作都无法正常使用。
解决办法:
在客户端中的 中jquery中的ajax中添加
crossDomain: true,
xhrFields:{ withCredentials:true },
//或者
beforeSend: function(xhr) {
xhr.withCredentials = true;
},
服务器添写一个过滤器
package com.game.filter;
import java.io.IOException;
import java.util.Collection;
import java.util.Enumeration;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
public class CORSFilter implements Filter {
private final Logger logger = Logger.getLogger(CORSFilter.class);
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain)
throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) resp;
HttpServletRequest request = (HttpServletRequest) req;
//允许所有url路径都可以跨域请求
//response.setHeader("Access-Control-Allow-Origin","*");
response.setHeader("Access-Control-Allow-Origin", request.getHeader("Origin"));
//允许POST,GET,OPTIONS,DELETE的外域请求
response.setHeader("Access-Control-Allow-Methods","POST,GET,OPTIONS,DELETE");
//表名在3600秒内,不需要发送预检请求
response.setHeader("Access-Control-Max-Age","3600");
//表明允许跨域请求所包含的头
//response.setHeader("Access-Control-Allow-Headers","host,connection,content-length,accept,origin,x-requested-with,user-agent,content-type,referer,accept-encoding,accept-language,cookie");
response.setHeader("Access-Control-Allow-Headers", "DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,SessionToken,Cookie");
//ajax跨域求情允许传递cookie
response.setHeader("Access-Control-Allow-Credentials", "true");
//获取request的头部信息
Enumeration<String> headers = request.getHeaderNames();
while(headers.hasMoreElements()){
String header = headers.nextElement();
logger.info("header:"+header+" value:"+request.getHeader(header));
}
//获取response的头部信息
Collection<String> rheaders = response.getHeaderNames();
for(String header:rheaders){
logger.info("ResponseHeader:"+header+" ResponseValue:"+response.getHeader(header));
}
//执行目标路径的mothod
chain.doFilter(req, resp);
}
@Override
public void init(FilterConfig config) throws ServletException {
}
}
web.xml中的配置为:
<!-- 跨域请求预处理CORS -->
<filter>
<filter-name>CORS</filter-name>
<filter-class>com.game.filter.CORSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CORS</filter-name>
<url-pattern>/game/*</url-pattern>
</filter-mapping>
就可以传递cookie数据