覆盖CORS配置

Question

我已经部署了一个基于Blade CLI blade.rest示例的OSGi模块，并将其修改为返回响应而不是纯文本。这里是类：

package com.autentia.api.rest.users; 

import org.osgi.service.component.annotations.Component; 
import javax.servlet.http.HttpServletRequest; 


import javax.ws.rs.ApplicationPath; 
import javax.ws.rs.GET; 
import javax.ws.rs.Path; 
import javax.ws.rs.Produces; 
import javax.ws.rs.core.Application; 
import javax.ws.rs.core.Context; 
import javax.ws.rs.core.MediaType; 
import javax.ws.rs.core.Response; 
import java.util.Collections; 
import java.util.Set; 

@ApplicationPath("/users") 
@Component(
     immediate = true, property = {"jaxrs.application=true"}, 
     service = Application.class 
) 
public class UsersRestService extends Application { 

    @Override 
    public Set<Object> getSingletons() { 
     return Collections.singleton(this); 
    } 

    @GET 
    @Path("/") 
    @Produces(MediaType.APPLICATION_JSON) 
    public Response getUsers(@Context HttpServletRequest request) { 
     System.out.println(request.getRemoteAddr()); 
     String json = "{\n" + " \"value\": \"ok\"\n" + "}"; 
     return Response 
       .status(200) 
       .header("Access-Control-Allow-Origin", "*") 
       .entity(json) 
       .build(); 
    } 
} 

（这在当地工作，如果我删除.header("Access-Control-Allow-Origin", "*")）

当我做了一份请愿书服务器出现问题的反应有两种访问控制，访问原产地性质，一个设置为“*”（这是我想要的），另一个设置为发送它的IP。响应如下：

Access-Control-Allow-Credentials:true 
Access-Control-Allow-Origin:http://localhost:3000 
Access-Control-Allow-Origin:* 
Content-Length:19 
Content-Type:application/json 
Date:Wed, 12 Apr 2017 15:23:38 GMT 
Server:Apache-Coyote/1.1 
Set-Cookie:JSESSIONID=CF771CD0FAECDAF226D153FB05875CC3; Path=/; HttpOnly 
X-Content-Type-Options:nosniff 
X-Frame-Options:SAMEORIGIN 
X-Request-URL:http://localhost:8080/o/api/users 
X-XSS-Protection:1 

正如您所见，有两个不被接受的Access-Control-Allow-Origin。我应该从哪里开始寻找？我应该修改Tomcat的web.xml吗？我已经看过portal.properties和system.properties但我还没有看到一个属性，使该头。

谢谢。在CATALINA_BASE/conf/web.xml

http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter

Answer 1

寻找一个CorsFilter过滤器的文档。

要允许从任何来源的请求，你可以将它添加到该文件：

<init-param> 
    <param-name>cors.allowed.origins</param-name> 
    <param-value>*</param-value> 
</init-param> 

Answer 2

由于@sideshowbarker提到的关键是编辑web.xml文件位于Liferay的嵌入式的Tomcat。我应用的配置是如下：

<filter> 
    <filter-name>CorsFilter</filter-name> 
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> 
    <init-param> 
     <param-name>cors.allowed.origins</param-name> 
     <param-value>http://localhost:49227</param-value> 
    </init-param> 
    <init-param> 
     <param-name>cors.allowed.methods</param-name> 
     <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value> 
    </init-param> 
    <init-param> 
     <param-name>cors.allowed.headers</param-name> 
     <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value> 
    </init-param> 
    <init-param> 
     <param-name>cors.exposed.headers</param-name> 
     <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value> 
    </init-param> 
    <init-param> 
     <param-name>cors.support.credentials</param-name> 
     <param-value>true</param-value> 
    </init-param> 
    <init-param> 
     <param-name>cors.preflight.maxage</param-name> 
     <param-value>10</param-value> 
    </init-param> 
</filter> 
<filter-mapping> 
    <filter-name>CorsFilter</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 

之后我从方法我用的反应除去报头和重新启动的Tomcat所以配置被施加。

如果我想要让我都起源或白名单IP地址更改以下param：

<init-param> 
    <param-name>cors.allowed.origins</param-name> 
    <param-value>http://<IP_TO_WHITELIST>:<PORT></param-value> 
</init-param> 

或允许所有来源：

<init-param> 
    <param-name>cors.allowed.origins</param-name> 
    <param-value>*</param-value> 
</init-param>