3

我有一个 Spring Boot REST 应用程序,上面有一个非常简单的 CORS 过滤器。我想要做的是动态响应 Access-Control-Request-Headers 标头中的值,而不是提供特定的列表。普遍的看法似乎是明确设置“Access-Control-Allow-Headers”中返回的值,但是我们会将一组来源列入白名单,并希望允许它们发送的任何标头。我找不到在 Access-Control-Request-Headers 中复制 Access-Control-Allow-Headers 值的方法。

这是代码

   @Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
    throws IOException, ServletException {

    HttpServletResponse response = (HttpServletResponse) servletResponse;
    response.setHeader("Access-Control-Allow-Origin", "*");
    response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, DELETE, OPTIONS"); // will need to enable other methods when/as implemented
    response.setHeader("Access-Control-Max-Age", "3600");
    response.setHeader("Access-Control-Allow-Headers",
        ((HttpServletRequest) servletRequest).getHeader("Access-Control-Request-Headers"));
    filterChain.doFilter(servletRequest, servletResponse);
}

使用来自 Chrome 的请求和响应(当我们硬编码 Access-Control-Allow-Headers 的值时)

Remote Address:10.199.240.16:443
Request URL:https://myapp.com/gradebooks/5566669e-e4b0-d05e-0150-98d7ffffffff/assignments/3ad7f1e7-679b-4d8b-856e-d2e3589eaad6
Request Method:OPTIONS
Status Code:200 OK

Response Headers
    view source
    Access-Control-Allow-Methods → POST, PUT, GET, DELETE, OPTIONS
    Access-Control-Max-Age → 3600
    Content-Type → application/hal+json; charset=UTF-8
    Date → Tue, 21 Jul 2015 20:42:29 GMT
    Server → Jetty(9.2.9.v20150224)
    Transfer-Encoding → chunked
    X-Application-Context → application

Request Headers
    view source
    Accept:*/*
    Accept-Encoding:gzip, deflate, sdch
    Accept-Language:en-US,en;q=0.8
    Access-Control-Request-Headers:accept, content-type
    Access-Control-Request-Method:PUT
    Connection:keep-alive
    Host:gbservices-api.dev-prsn.com
    Origin:http://localhost:3000
    Referer:http://localhost:3000/
    User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36

这是错误

XMLHttpRequest 无法加载 https://myapp.com/gradebooks/5566669e-e4b0-d05e-0150-98d7ffffffff/assignments/3ad7f1e7-679b-4d8b-856e-d2e3589eaad6。Access-Control-Allow-Headers 不允许请求标头字段 Content-Type。

我在过滤器中发现的调试是 Access-Control-Request-Headers,只有那个标题,在它到达过滤器时丢失了。拼错标题并且它到达了,所以似乎有东西在拦截标题并在它到达我的过滤器之前将其丢弃......

4

0 回答 0