英文:
CORS for localhost and domain
问题
我正在使用以下代码为基于Java/Jersey的Web应用程序设置CORS。
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletResponse resp = (HttpServletResponse) response;
// resp.addHeader("Access-Control-Allow-Origin", "http://localhost:3000");
resp.addHeader("Access-Control-Allow-Origin", "*");
// resp.addHeader("Access-Control-Allow-Origin", "http://digitran-virtualtestengineer.tk");
resp.addHeader("Access-Control-Allow-Headers", "*");
resp.addHeader("Access-Control-Allow-Methods", "*");
chain.doFilter(request, response);
}
我的客户端代码是基于ReactJS的,API调用如下:
axios.post("http://localhost:9900/upload/file", data, config)
问题:
每次我需要在本地主机和域之间切换时,我都要使用以下代码行:
resp.addHeader("Access-Control-Allow-Origin", "http://localhost:3000");
resp.addHeader("Access-Control-Allow-Origin", "http://digitran-virtualtestengineer.tk");
或者我必须允许所有域,如下所示:
resp.addHeader("Access-Control-Allow-Origin", "*");
问题:
是否有任何方法可以在同一行中添加本地主机和域,就像以下代码一样?
resp.addHeader("Access-Control-Allow-Origin", ["http://digitran-virtualtestengineer.tk", "http://localhost:3000"]);
英文:
I am using the following code to set CORS for Java/Jersey based web application.
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletResponse resp = (HttpServletResponse) response;
// resp.addHeader("Access-Control-Allow-Origin", "http://localhost:3000");
resp.addHeader("Access-Control-Allow-Origin", "*");
// resp.addHeader("Access-Control-Allow-Origin", "http://digitran-virtualtestengineer.tk");
resp.addHeader("Access-Control-Allow-Headers", "*");
resp.addHeader("Access-Control-Allow-Methods", "*");
chain.doFilter(request, response);
}
My client code is ReactJS based and the API call is made as follows:
axios.post("http://localhost:9900/upload/file", data, config )
Problem:
Every time I have to switch between localhost and domain by using the following lines of code:
resp.addHeader("Access-Control-Allow-Origin", "http://localhost:3000");
resp.addHeader("Access-Control-Allow-Origin", "http://digitran-virtualtestengineer.tk");
or I have to allow all domains as follows:
resp.addHeader("Access-Control-Allow-Origin", "*");
Question:
Is there any way to add both localhost and domain in the same line like the following code?
resp.addHeader("Access-Control-Allow-Origin", ["http://digitran-virtualtestengineer.tk", "http://localhost:3000"]);
答案1
得分: 1
// 类成员
final List<String> allowedOrigins = Arrays.asList("http://localhost:3000", "http://digitran-virtualtestengineer.tk");
// 在过滤器方法中
String origin = request.getHeader("ORIGIN");
if (origin != null) {
if (allowedOrigins.contains(origin)) {
response.addHeader("Access-Control-Allow-Origin", origin);
} else {
// 结束请求并发送 403 禁止访问响应
}
}
英文:
A CORS request will have an Origin
header. This header is what asks the server "is that origin allowed?" The server responds back with Access-Control-Allow-Origin: <origin>
. You can use a *
signifying that all origins are allowed, or you can use a single origin, generally the origin requested with the Origin
header or only a single origin that you allow.
So what you should do is get the Origin
header from the HttpServletRequest
. Then keeps a list of origins you want to allow. Then check the origin against the list making sure the origin is in the list. If it is, then add that origin as the value for the Access-Control-Allow-Origin
header. Something like
// class member
final List<String> allowedOrigins
= Arrays.asList("http://localhost:3000",
"http://digitran-virtualtestengineer.tk");
// in filter method
String origin = request.getHeader("ORIGIN");
if (origin != null) {
if (allowedOrigins.contains(origin)) {
response.addHeader("Access-Control-Allow-Origin", origin);
} else {
// end request and send 403 Forbidden response
}
}
Also, as mentioned by @jonrsharpe, you should consider adding these allowed origins to a configuration file. You can construct the list from this file. This is a common practice in a production project.
答案2
得分: -1
最终的代码如下所示:
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
String url = null;
String clientOrigin = null;
if (request instanceof HttpServletRequest) {
url = ((HttpServletRequest)request).getRequestURL().toString();
clientOrigin = ((HttpServletRequest)request).getHeader("origin");
System.out.println("url inside doFilter = " + url);
System.out.println("clientOrigin inside doFilter = " + clientOrigin);
}
HttpServletResponse resp = (HttpServletResponse) response;
if (clientOrigin != null) {
if (allowedOrigins.contains(clientOrigin)) {
resp.addHeader("Access-Control-Allow-Origin", clientOrigin);
}
}
resp.addHeader("Access-Control-Allow-Headers", "*");
resp.addHeader("Access-Control-Allow-Methods", "*");
chain.doFilter(request, response);
}
英文:
The final code is as given below:
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
String url = null;
String clientOrigin = null;
if (request instanceof HttpServletRequest) {
url = ((HttpServletRequest)request).getRequestURL().toString();
clientOrigin = ((HttpServletRequest)request).getHeader("origin");
System.out.println("url inside doFilter = "+url);
System.out.println("clientOrigin inside doFilter = "+clientOrigin);
}
HttpServletResponse resp = (HttpServletResponse) response;
if (clientOrigin != null) {
if (allowedOrigins.contains(clientOrigin)) {
resp.addHeader("Access-Control-Allow-Origin", clientOrigin);
}
}
resp.addHeader("Access-Control-Allow-Headers", "*");
resp.addHeader("Access-Control-Allow-Methods", "*");
chain.doFilter(request, response);
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论