我在 Spring boot 中有一些关于 Pre-flight Filter 的代码,但我不知道这段代码的用途:
@Component
// We want to put this in front of SpringSessionFilter
@Order(Ordered.HIGHEST_PRECEDENCE)
public class RequestFilter {
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Allow-Headers", "x-requested-with, x-auth-token");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Credentials", "true");
if(!(request.getMethod().equalsIgnoreCase("OPTIONS"))) {
try {
chain.doFilter(req, res);
} catch (Exception e) {
e.printStackTrace();
}
} else {
System.out.println("Pre-fight");
response.setHeader("Access-Control-Allowed-Methods", "POST, GET, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "authorization, content-type, x-auth-token, " +
"access-control-request-headers,access-control-request-method,accept,origin,authorization,x-requested-with");
response.setStatus(HttpServletResponse.SC_OK);
}
}
public void init(FilterConfig filterConfig) {}
public void destroy() {}
}
这是这个文件的解释:
所以当 Angular 2 发送一个 http post ajax 调用时,它会首先发送一个飞行前的方法类型不是“POST”而是“OPTIONS”。如果这个预检有一个有效的响应,那么它将开始发送真正的 http post。这是为了防止跨站攻击。在后端,spring 对此没有开箱即用的处理。所以我们需要检查 http 方法是否是预检。如果是,我们将只用有效的标头和信息进行响应。如果没有,我们将继续过滤器链。
但是看不懂源码。任何人都可以为我解释吗?
繁星点点滴滴
相关分类