Java JAX-RS CORS/Tomcat 冲突:javax.servlet.ServletException
Java JAX-RS CORS/Tomcat Conflict : javax.servlet.ServletException
我目前是 运行 我自己的网络应用程序,它通常不会给我设置环境带来任何问题。然而,这是一台安装了 Tomcat 9.0 和 JDK 8 的新机器。这台机器与其他正常工作的机器之间的唯一区别是 Eclipse IDE.
的版本
此环境中的所有资源 return 404,我已将运行时出现此问题的原因缩小为:
javax.servlet.ServletException: It is not allowed to configure supportsCredentials=[true] when allowedOrigins=[*]
有人知道为什么不再允许这样做/为什么它不起作用吗?
在src/main/webapp/WEB-INF/web.xml中添加CORS过滤器如下:
<?xml version="1.0" encoding="UTF-8"?>
<!-- This web.xml file is not required when using Servlet 3.0 container,
see implementation details http://jersey.java.net/nonav/documentation/latest/jax-rs.html -->
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<servlet>
<servlet-name>Jersey Web Application</servlet-name>
<servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>jersey.config.server.provider.packages</param-name>
<param-value>lksecure.lks,lksecure,messenger.msg</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Jersey Web Application</servlet-name>
<url-pattern>/webapi`/`*</url-pattern>
</servlet-mapping>
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,DELETE,HEAD,OPTIONS</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Content-Type,auth,user,persona,target,recaptcha,id,endpoint,portX-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
</init-param>
<init-param>
<param-name>cors.exposed.headers</param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
</init-param>
<init-param>
<param-name>cors.support.credentials</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.preflight.maxage</param-name>
<param-value>10</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
谢谢!
您必须提供一个以逗号分隔的允许来源的白名单,以便还具有 supportCredentials=[true]:
http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter
如何缩小问题范围以及如何找出您必须为 Tomcats web.xml 添加哪些 URL cors.allowed.origins 参数在此处说明:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors
由于安全原因,此行为于 2018 年 5 月引入:
https://bz.apache.org/bugzilla/show_bug.cgi?id=62343
`<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>*</param-value>
</init-param>`
像这样在'*'前加一个'/'
`<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>/*</param-value>
</init-param>`
我目前是 运行 我自己的网络应用程序,它通常不会给我设置环境带来任何问题。然而,这是一台安装了 Tomcat 9.0 和 JDK 8 的新机器。这台机器与其他正常工作的机器之间的唯一区别是 Eclipse IDE.
的版本此环境中的所有资源 return 404,我已将运行时出现此问题的原因缩小为:
javax.servlet.ServletException: It is not allowed to configure supportsCredentials=[true] when allowedOrigins=[*]
有人知道为什么不再允许这样做/为什么它不起作用吗?
在src/main/webapp/WEB-INF/web.xml中添加CORS过滤器如下:
<?xml version="1.0" encoding="UTF-8"?>
<!-- This web.xml file is not required when using Servlet 3.0 container,
see implementation details http://jersey.java.net/nonav/documentation/latest/jax-rs.html -->
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<servlet>
<servlet-name>Jersey Web Application</servlet-name>
<servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>jersey.config.server.provider.packages</param-name>
<param-value>lksecure.lks,lksecure,messenger.msg</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Jersey Web Application</servlet-name>
<url-pattern>/webapi`/`*</url-pattern>
</servlet-mapping>
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,DELETE,HEAD,OPTIONS</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Content-Type,auth,user,persona,target,recaptcha,id,endpoint,portX-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
</init-param>
<init-param>
<param-name>cors.exposed.headers</param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
</init-param>
<init-param>
<param-name>cors.support.credentials</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.preflight.maxage</param-name>
<param-value>10</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
谢谢!
您必须提供一个以逗号分隔的允许来源的白名单,以便还具有 supportCredentials=[true]: http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter
如何缩小问题范围以及如何找出您必须为 Tomcats web.xml 添加哪些 URL cors.allowed.origins 参数在此处说明: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors
由于安全原因,此行为于 2018 年 5 月引入: https://bz.apache.org/bugzilla/show_bug.cgi?id=62343
`<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>*</param-value>
</init-param>`
像这样在'*'前加一个'/'
`<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>/*</param-value>
</init-param>`