转载请注明出处
原文链接:/qq_39309348/article/details/103267908
在正式跨域的请求前,浏览器会根据需要,发起一个“PreFlight”(也就是Option请求),用来让服务端返回允许的方法(如get、post),被跨域访问的Origin(来源,或者域),还有是否需要Credentials(认证信息)
发送option请求的原因
如果跨域的请求是Simple Request(简单请求 ),则不会触发“PreFlight”。Mozilla对于简单请求的要求是:
以下三项必须都成立:
1. 只能是Get、Head、Post方法
2. 除了浏览器自己在Http头上加的信息(如Connection、User-Agent),开发者只能加这几个:Accept、Accept-Language、Content-Type、。。。。
3. Content-Type只能取这几个值:
application/x-www-form-urlencodedmultipart/form-datatext/plain
当不满足上面的条件是,就会发送options预请求,一般是因为修改了application/json,所以才导致发送option请求
问题
当发送option时,所有的参数都为null,后端如果做了参数非空校验的话,就会报错,缺少必要的参数*
解决方案
一、过滤器过滤options请求
这种方法也不失为一种好方法,注意if(OPTIONS.equalsIgnoreCase(request.getMethod())) return; 必须放在response....之后,否则options成功了,post发送不了
@WebFilter(filterName = "CorsFilter", urlPatterns = "/*")public class CorsFilter implements Filter {private static final String OPTIONS = "OPTIONS";@Overridepublic void init(FilterConfig filterConfig) throws ServletException {}@Overridepublic void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {HttpServletRequest request = (HttpServletRequest) servletRequest;HttpServletResponse response = (HttpServletResponse) servletResponse;response.addHeader("Access-Control-Allow-Origin", "*");response.setHeader("Access-Control-Allow-Methods", "POST,GET,PUT,DELETE,OPTIONS");response.addHeader("Access-Control-Allow-Headers", "*");//response.addHeader("Access-Control-Max-Age", "3628800"); //可选if(OPTIONS.equalsIgnoreCase(request.getMethod()))return; // 或者直接输入204、HttpStatus.SC_OK、200,等这些都可以 import org.apache.http.HttpStatus;filterChain.doFilter(servletRequest, response);}@Overridepublic void destroy() {}}
二、过滤器添加Access-Control-Max-Age缓存
这种方法不可避免第一次会发送options预请求,如果后端做了非空校验,一样是会出现问题。
public class CorsFilter implements Filter {@Overridepublic void init(FilterConfig filterConfig) throws ServletException {}public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {HttpServletResponse response = (HttpServletResponse) servletResponse;response.addHeader("Access-Control-Allow-Origin", "*");response.setHeader("Access-Control-Allow-Methods", "POST,GET,PUT,DELETE,OPTIONS");response.addHeader("Access-Control-Allow-Headers", "*");response.addHeader("Access-Control-Max-Age", "3600"); //3600秒内不会发送预请求filterChain.doFilter(servletRequest, response);}@Overridepublic void destroy() {}}
三、使用springboot自带的CROS
和使用过滤器response来添加请求头相比,springboot已经帮我们处理好了options请求,而自己写的过滤器得自己去处理
@SpringBootApplication@Configurationpublic class ApplicationA extends WebMvcConfigurerAdapter {public static void main(String[] args) {SpringApplication.run(ApplicationA.class, args);}// 跨域支持@Overridepublic void addCorsMappings(CorsRegistry registry) {registry.addMapping("/**") //所有方法.allowedOrigins("*") //允许的域名.allowCredentials(true) .allwoedHeaders("*") // 允许请求头.allowedMethods("GET", "POST", "DELETE", "PUT","OPTIONS")//允许方法.maxAge(3600); //表明在3600秒内,不需要再发送预检验请求,可以缓存该结果}}