跨域访问解决方案：利用CORS

摘要: 服务端利用Cors解决跨域访问

在进行前后端分离开发的过程中，跨域问题不可避免，比如:静态页面应用部署在http://a.xxx.com 下,后端应用符合RESTFUL 约束风格部署在http://b.xxx.com 下。通常我们的页面会向服务端发起Ajax请求，但是有个问题就是Ajax请求只能同源使用，跨域问题的解决方案有很多，今次介绍使用CORS技术来实现。
CORS，Cross Origin Resource Sharing，跨域资源共享。CORS实现十分的简单，只需在服务端添加相应的Response Header，先介绍一下需要添加的Headers。

Access-Control-Allow-Origin:允许访问的域名，String，

Access-Control-Allow-Credentials：是否发送Cookie，boolean，

Access-Control-Allow-Headers：允许客户端的请求头，Content-Type

Access-Control-Allow-Methods：允许的方法名，GET，POST，DETELE，OPTIONS

Access-Control-Expose-Headers：允许客户端访问的服务端响应头

要实现CORS技术，只需写一个Filter并在Web.xml中配置就可以实现了。

public class CorsFilter implements Filter {
private String allowOrigin;
private String allowMethods;
private String allowCredentials;
private String allowHeaders;
private String exposeHeaders;

/**
* Default constructor.
*/
public CorsFilter() {

}

/**
* [@see](https://my.oschina.net/weimingwei) Filter#destroy()
*/
public void destroy() {
// TODO Auto-generated method stub
}

/**
* [@see](https://my.oschina.net/weimingwei) Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
*/
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest req=(HttpServletRequest) request;
HttpServletResponse res=(HttpServletResponse) response;
res.setHeader("Access-Control-Allow-Origin", allowOrigin);
res.setHeader("Access-Control-Allow-Methods", allowMethods);
res.setHeader("Access-Control-Allow-Credentials",allowCredentials);
res.setHeader("Access-Control-Allow-Headers", allowHeaders);
res.setHeader("Access-Control-Allow-Expose-Headers", exposeHeaders);

// pass the request along the filter chain
chain.doFilter(request, response);
}

/**
* [@see](https://my.oschina.net/weimingwei) Filter#init(FilterConfig)
*/
public void init(FilterConfig fConfig) throws ServletException {
allowOrigin = fConfig.getInitParameter("allowOrigin");
allowMethods = fConfig.getInitParameter("allowMethods");
allowCredentials = fConfig.getInitParameter("allowCredentials");
allowHeaders = fConfig.getInitParameter("allowHeaders");
exposeHeaders = fConfig.getInitParameter("exposeHeaders");
}
}

然后在web.xml中配置filter,allowOrigin对应的*号，表示任何域名都可以访问，可以写入具体域名，多个域 名用逗号分割开。

<filter>
<description>cross origin resource sharing</description>
<display-name>CorsFilter</display-name>
<filter-name>CorsFilter</filter-name>
<filter-class>com.xxx.filter.CorsFilter</filter-class>
<init-param>
<param-name>allowOrigin</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>allowMethods</param-name>
<param-value>GET,POST,PUT,DELETE,OPTIONS</param-value>
</init-param>
<init-param>
<param-name>allowCredentials</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>allowHeaders</param-name>
<param-value>Content-Type</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>