import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@WebFilter(urlPatterns = "
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) throws ServletException, IOException {
HttpServletRequest req = (HttpServletRequest) servletRequest;
HttpServletResponse resp = (HttpServletResponse) servletResponse;
String origin = req.getHeader("Origin");//注意发布生产时不能这么写,得写死固定可以访问的域名,否则不安全
if(origin == null) {
origin = req.getHeader("Referer");
}
resp.setHeader("Access-Control-Allow-Origin", origin);//这里不能写*,
*代表接受所有域名访问,如写*则下面一行代码无效。谨记
resp.setHeader("Access-Control-Allow-Credentials", "true");//true代表允许携带cookie
chain.doFilter(servletRequest,servletResponse);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
}
springboot2.配置过滤器时,启动类必须加上@ServletComponentScan才会加载过滤器
然后前端配置使用vue.resource发送请求时配置如下:
main.js中 Vue.http.options.xhr = { withCredentials: true }
使用vue.axios发送请求时配置如下:
axios.defaults.withCredentials = true;
jquery请求带上 xhrFields: {withCredentials: true}, crossDomain: true;
$.ajax({
type: "post",
url: "",
xhrFields: {withCredentials: true},
crossDomain: true,
data: {username:$("#username").val()},
dataType: "json",
success: function(data){ }
});
此时问题已解决。
如果还有问题,则是因为部分浏览器为了防止csrf等漏洞,需要设置samesite属性,像nodejs是是有专门的方法设置,然java后端的cookie现在还没有对应的设置方法,目前只能手动响应,代码如下
//cookie cookie1 = new cookie("test","test");
//cookie1.setPath("/");
//cookie1.setHttponly(true);
//response.addcookie(cookie1);
String header = response.getHeader("set-cookie");
response.setHeader("set-cookie",header+"; Secure; SameSite=None");
此解决方案:如果涉及到cookie无法设置过期时间,请留言。
