我正在尝试使用
Spring的RestTemplate进行跨源请求.通信是在两个Spring-boot webapps之间完成的,这两个webapp都运行在localhost但不同的端口上.我所做的是:
HttpHeaders httpHeaders = new HttpHeaders();
httpHeaders.setOrigin("http://localhost:8083");
httpHeaders.add("Authorization",token);
HttpEntity<Void> httpEntity = new HttpEntity<>(httpHeaders);
ParameterizedTypeReference<List<MyObj>> beanType = new ParameterizedTypeReference<List<MyObj>>() {};
ResponseEntity<List<MyObj>> list = restTemplate.exchange(serviceURL,HttpMethod.GET,httpEntity,beanType);
执行调用,“授权”标题传递得很好,但无论我尝试什么,接收端都没有“Origin”标题.
当我使用其他工具(SoapUI,RestClient Chrome插件等)创建一个simillar请求时,标题就像我提供的那样传递.
要在接收端打印所有标头,我正在使用javax.servlet.Filter的实现:
public void doFilter(ServletRequest req,ServletResponse res,FilterChain chain)
throws IOException,ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
Enumeration<String> headerNames = request.getHeaderNames();
while (headerNames.hasMoreElements()) {
String headerName = headerNames.nextElement();
log.info(headerName + ": " + request.getHeader(headerName));
}
}
使用RestTemplate时为什么不传递origin头?
解决方法
有同样的问题,我花了一个世纪来修复.
根本原因是来自RestTemplate文档的这一行
Note: by default the RestTemplate relies on standard JDK facilities to establish HTTP connections.
如果您在Java中检查HttpUrlConnection类的源代码,您将在下面的代码块中找到,并且标头Origin是禁止更改的受限标头之一:
/*
* Restrict setting of request headers through the public api
* consistent with JavaScript XMLHttpRequest2 with a few
* exceptions. Disallowed headers are silently ignored for
* backwards compatibility reasons rather than throwing a
* SecurityException. For example,some applets set the
* Host header since old JREs did not implement HTTP 1.1.
* Additionally,any header starting with Sec- is
* disallowed.
*
* The following headers are allowed for historical reasons:
*
* Accept-Charset,Accept-Encoding,Cookie,Cookie2,Date,* Referer,TE,User-Agent,headers beginning with Proxy-.
*
* The following headers are allowed in a limited form:
*
* Connection: close
*
* See http://www.w3.org/TR/XMLHttpRequest2.
*/
private static final boolean allowRestrictedHeaders;
private static final Set<String> restrictedHeaderSet;
private static final String[] restrictedHeaders = {
/* Restricted by XMLHttpRequest2 */
//"Accept-Charset",//"Accept-Encoding","Access-Control-Request-Headers","Access-Control-Request-Method","Connection",/* close is allowed */
"Content-Length",//"Cookie",//"Cookie2","Content-Transfer-Encoding",//"Date",//"Expect","Host","Keep-Alive","Origin",// "Referer",// "TE","Trailer","Transfer-Encoding","Upgrade",//"User-Agent","Via"
};
只需设置JVM参数,就可以轻松解决此问题
-Dsun.net.http.allowRestrictedHeaders=true
System.setProperty("sun.net.http.allowRestrictedHeaders","true");
这抑制了限制.
