由于tomcat 8.0.53的最新更新,我们的REST服务无法正常工作。这是由于CORS配置。旧配置如下:
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Content-Type,X-Requested-With,x-auth-token,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
如果我添加以下几行,也可以,但是我们认为,这是一个很大的安全问题:
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>*</param-value>
</init-param>
因此,我的想法是将原始CORS配置写为“拒绝过滤器”,并用新行(cors.allowed.origins)将新配置写为“允许过滤器”,从而在过滤器映射中只允许几个URL。
我这样尝试过:
<filter>
<filter-name>CorsFilterDeny</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Content-Type,X-Requested-With,x-auth-token,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilterDeny</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CorsFilterAllow</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Content-Type,X-Requested-With,x-auth-token,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilterAllow</filter-name>
<url-pattern>/rest/*</url-pattern>
</filter-mapping>
现在,/ rest / *应该可以工作,但是/ rest2不是。但是两个URL都可以正常工作。我已经尝试过先允许,然后再拒绝。相同的问题:rest2正常运行,但不应运行。
任何想法,如何解决这个问题?
提前谢谢! 问候 伯克哈德