默认情况下,跨域请求不提供凭据(cookie、HTTP认证及客户端SSL证明等)。
如何解决Ajax跨域请求不携带cookie?需要前后端一起配合解决,通过将withCredentials属性设置为true,可以指定某个请求应该发送凭据。这样就可以就行跨域cookie共享了。
1.原生js设置方式
xhr.withCredentials = true;
2.jQuery设置方式
$.ajax({ ... xhrFields: { withCredentials: true }, ... })
也可全局配置
$.ajaxSetup({ xhrFields: { withCredentials: true } });
使用过滤器实现
import javax.servlet.*; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; public class CorsFilter implements Filter { @Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { //获取来源,此处可进一步判断来源的合法性,避免接口被其他站点使用 String origin = request.getHeader("origin"); HttpServletResponse response = (HttpServletResponse) res; HttpServletRequest request = (HttpServletRequest) req; response.setHeader("Access-Control-Allow-Origin", origin); response.setHeader("Access-Control-Allow-Credentials", "true"); response.setHeader("Access-Control-Allow-Methods", "ACL, CANCELUPLOAD, CHECKIN, CHECKOUT, COPY, DELETE, GET, HEAD, LOCK, MKCALENDAR, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH, PUT, REPORT, SEARCH, UNCHECKOUT, UNLOCK, UPDATE, VERSION-CONTROL"); response.setHeader("Access-Control-Max-Age", "3600"); response.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Key, Authorization, puid, rememberMe"); if ("OPTIONS".equalsIgnoreCase(request.getMethod())) { response.setStatus(HttpServletResponse.SC_OK); return; } else { chain.doFilter(req, res); } } @Override public void init(FilterConfig filterConfig) { // not needed } @Override public void destroy() { //not needed } }
要想设置和获取跨域 Cookie,上面提到的两点缺一不可。另外有一点需要注意的是:如果 ajax 请求设置了withCredentials 属性为true和crossDomain属性为true,那么服务器不得设置 Access-Control-Allow-Origin的值为*,否则浏览器将会抛出以下的错误:
The value of the ‘Access-Control-Allow-Origin’ header in the response must not be the wildcard ‘*’
发表评论(对文章涉及的知识点还有疑问,可以在这里留言,老高看到后会及时回复的。)