SimpleCORSFilter不起作用

I am using Spring Rest as my backend, when I sent request by $.ajax{}, I got error message:

XMLHttpRequest cannot load http://121.40.249.129:8080/user/login. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8000' is therefore not allowed access.

So, I added SimpleCORSFilter in my Spring Project:

SimpleCORSFilter:

@Component
public class SimpleCORSFilter implements Filter {

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse response = (HttpServletResponse) res;
        HttpServletRequest request = (HttpServletRequest) req;
        response.setHeader("Access-Control-Allow-Origin", "*");
        response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT, DELETE");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Credentials", "true");
        response.setHeader("Access-Control-Allow-Headers", "X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version");
        chain.doFilter(req, res);
    }

    @Override
    public void init(FilterConfig filterConfig) {}

    @Override
    public void destroy() {}
}

The since I don't have web.xml, so I didn't add the code to web.xml:

<filter>
    <filter-name>simpleCORSFilter</filter-name>
    <filter-class>xxx.xxx.SimpleCORSFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>simpleCORSFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

So, I still get the error, how can I fix it.

</div>

As I have experienced, * won't work for Access-Control-Allow-Origin when Access-Control-Allow-Credentials is set to true.

So, you should instead have

response.setHeader("Access-Control-Allow-Origin", "http://127.0.0.1:8000");

Actually, instead of hardcoding the url, you can have that as a property. If you want to allow multiple origins, this answer would help.

Also:

  1. It's advised to annotate the class with @Order(Ordered.HIGHEST_PRECEDENCE), because this filter should come first.
  2. If you are using CSRF, the corrosponding header should also be added to the list in Access-Control-Allow-Headers.

Update:

As @RTzhong did (see his comments below), replacing * with request.getHeader("Origin") seems like the ideal fix. However, a better security practice in general would be to specify the actual url or first checking with a whitelist, unless one must expose his API publicly to unknown websites.

Refer to Spring Lemon's source code for a concrete example.