1
我有一个使用Angular 2开发的Web应用程序,以及使用Springboot开发的Rest API。Webapp和移动应用程序使用的Spring API
Mme Michu ---> WebApp (Angular 2 - Known origin) ---> API (Springboot CORS)
我在webapp和API之间配置了CORS,它工作正常。
这里是我的CORSFilter是如何实现的
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCORSFilter implements Filter{
public SimpleCORSFilter() {
super();
}
@Autowired
private Environment environment;
private String[] acao;
@Override
public final void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain chain) throws IOException, ServletException {
acao = environment.getProperty("access-control-allow-origin").split(",");
final HttpServletResponse response = (HttpServletResponse) res;
final HttpServletRequest request = (HttpServletRequest) req;
String origin = request.getHeader("Origin");
response.setHeader("Access-Control-Allow-Origin", Arrays.asList(acao).contains(origin)?origin:"");
// without this header jquery.ajax calls returns 401 even after successful login and SSESSIONID being succesfully stored.
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "X-Requested-With, Authorization, Origin, Content-Type, Version");
response.setHeader("Access-Control-Expose-Headers", "X-Requested-With, Authorization, Origin, Content-Type");
if(!request.getMethod().equals("OPTIONS")) {
chain.doFilter(request, response);
}
}
@Override
public void destroy() {
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
acao = environment.getProperty("access-control-allow-origin").split(",");
}
}
的问题是,我需要一个新的移动应用(与离子developped)与API进行交互。
Mme Michu --> MobileApp (Unknown origin) ---> API (Springboot CORS)
CORS策略会阻止来自移动应用程序的请求吗? 我如何授权来自移动应用程序的请求,因为我无法知道移动应用程序的“来源”?
任何意见,欢迎...
我不明白你的答案... CORS过滤器是服务器端,所以客户端(移动应用程序)如何提供一个授予的来源? – DavidPi
服务器发送CORS头文件,这是正确的,但它不是服务器在源与服务器不匹配时被阻塞。以不同的来源进行测试,您将看到服务器发送的回应被客户端(您的浏览器)阻止。服务器负责报告允许的来源。 Web浏览器负责强制执行请求仅从允许的域发送。 –
超级!我会试试看! Merci;) – DavidPi