瀏覽器控制台信息:
has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*'
when the request's credentials mode is 'include'.
The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
CORS請求默認不發送Cookie和HTTP認證信息。如果要把Cookie發到服務器,一方面要服務器同意,指定Access-Control-Allow-Credentials字段
請求包含credentials(前端設置了withCredentials = true),Access-Control-Allow-Origin 不能使用 * 通配,需要具體指定。
如果controller跳轉至頁面,postHandle是沒問題的。
如果@ResponseBody注釋 或者返回 ResponseEntity,在postHandle攔截器中修改請求頭,是無效的。
因為方法在先於postHandle方法之前將響應提交給HandlerAdapter(調用handler和Interceptor方法者),所以之后的修改就無效了。
@Override public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object handler, ModelAndView modelAndView) throws Exception { String origin = Optional.ofNullable(httpServletRequest.getHeader("Origin")).orElse(httpServletRequest.getHeader("Referer")); LoggerFactory.getLogger(getClass()).info("origin == null ? * : origin = {}", origin == null ? "*" : origin); httpServletResponse.setHeader("Access-Control-Allow-Origin", origin); httpServletResponse.setHeader("Access-Control-Allow-Credentials ","true"); httpServletResponse.setHeader("Access-Control-Allow-Headers","Origin, X-Requested-With, Content-Type, Accept, Connection, User-Agent, Cookie"); }
可在 `preHandle` 方法中處理。在進入接口方法之前設置跨域響應頭。
同時,需要注意有無其他地方更改設置。如 控制器切面(@ControllerAdvice),接口類中的@InitBinder