dropwizard支持cors的配置如下:
public void run(Configuration conf, Environment environment) { // Enable CORS headers final FilterRegistration.Dynamic cors = environment.servlets().addFilter("CORS", CrossOriginFilter.class); // Configure CORS parameters cors.setInitParameter("allowedOrigins", "*"); cors.setInitParameter("allowedHeaders", "X-Requested-With,Content-Type,Accept,Origin"); cors.setInitParameter("allowedMethods", "OPTIONS,GET,PUT,POST,DELETE,HEAD"); // Add URL mapping cors.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/*"); }
支持自定义header,需要加上allowedHeaders。否则在浏览器中的response header中可以看到自定义header,js却取不到值。
public void run(Configuration conf, Environment environment) { // Enable CORS headers final FilterRegistration.Dynamic cors = environment.servlets().addFilter("CORS", CrossOriginFilter.class); // Configure CORS parameters cors.setInitParameter("allowedOrigins", "*"); cors.setInitParameter("allowedHeaders", "X-Requested-With,Content-Type,Accept,Origin,X-Export-Result");
cors.setInitParameter("allowedHeaders", "X-Export-Result");
cors.setInitParameter("allowedMethods", "OPTIONS,GET,PUT,POST,DELETE,HEAD");
// Add URL mapping
cors.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/*"); }
CrossOriginFilter的几个参数的定义:
allowedOrigins a comma separated list of origins that are allowed to access the resources. Default value is *, meaning all origins. If an allowed origin contains one or more * characters (for example http://*.domain.com), then "*" characters are converted to ".*", "." characters are escaped to "." and the resulting allowed origin interpreted as a regular expression. Allowed origins can therefore be more complex expressions such as https?://*.domain.[a-z]{3} that matches http or https, multiple subdomains and any 3 letter top-level domain (.com, .net, .org, etc.). allowedTimingOrigins a comma separated list of origins that are allowed to time the resource. Default value is the empty string, meaning no origins. The check whether the timing header is set, will be performed only if the user gets general access to the resource using the allowedOrigins. allowedMethods a comma separated list of HTTP methods that are allowed to be used when accessing the resources. Default value is GET,POST,HEAD allowedHeaders a comma separated list of HTTP headers that are allowed to be specified when accessing the resources. Default value is X-Requested-With,Content-Type,Accept,Origin. If the value is a single "*", this means that any headers will be accepted. preflightMaxAge the number of seconds that preflight requests can be cached by the client. Default value is 1800 seconds, or 30 minutes allowCredentials a boolean indicating if the resource allows requests with credentials. Default value is true exposedHeaders a comma separated list of HTTP headers that are allowed to be exposed on the client. Default value is the empty list chainPreflight if true preflight requests are chained to their target resource for normal handling (as an OPTION request). Otherwise the filter will response to the preflight. Default is true.