本文讲述了在SpringBoot后端设置Cookie时遇到的跨域问题,强调了domain应设为顶级域名,并配置CORS以允许跨域。同时,当使用Zuul作为网关时,由于Zuul默认过滤了敏感头部如Authorization,导致前端无法获取,解决方案是更改Header名称或配置Zuul以允许传递Authorization。
1.跨域问题说明:后端域名为A.abc.com,前端域名为B.abc.com。
2.后端设置一个cookie发送给前台,domain应该是setDomain(“abc.com”),而不是setDomain(“B.abc.com”)
3.另外,还要实现WebMvcConfigurerr配置加入Cors的跨域
@Configurationpublic classWebConfig implements WebMvcConfigurer {
@Overridepublic voidaddCorsMappings(CorsRegistry registry) {
registry.addMapping("/**").allowedOrigins("*").allowedMethods("GET", "POST", "OPTIONS", "PUT")
.allowedHeaders("Content-Type", "X-Requested-With", "accept", "Origin", "Access-Control-Request-Method","Access-Control-Request-Headers")
.exposedHeaders("Access-Control-Allow-Origin", "Access-Control-Allow-Credentials")
.allowCredentials(true).maxAge(3600);
}
}
--------------------------------------------分割线2018-9-16--------------------------------
由于之前的项目要搬到springcloud上面,所有就有了zuul网关来管理所有的请求,之前cookie设置的请求头Authoriaztion居然没有被传到前端。
凉凉……
设置网关层跨域问题都已经全部允许任何请求头(下图),但是还是前端访问还是没有Authoriaztion,各种问题都排查了,都没有问题。。。大写的迷惘!!!
后来啊,干脆把Authoriaztion名字给改了,直接改为token。
艹,居然可以了,前端能拿到token;改回Authoriaztion,没有。。。
后来查了资料,才发现哦,zuul会默认过滤掉几个敏感词,没错,就是它:
/**
* List of sensitive headers that are not passed to downstream requests. Defaults to a
* "safe" set of headers that commonly contain user credentials. It's OK to remove
* those from the list if the downstream service is part of the same system as the
* proxy, so they are sharing authentication data. If using a physical URL outside
* your own domain, then generally it would be a bad idea to leak user credentials.
*/
private Set sensitiveHeaders = new LinkedHashSet<>(
Arrays.asList("Cookie", "Set-Cookie", "Authorization"));
而我,刚好就中奖了!!!
扫一扫
4029
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
