Jersey filter does not give header values

前端 未结 1 1059
长情又很酷
长情又很酷 2021-01-16 22:49

We are using jersey 2 for our REST web services in Java. We have created the javax.ws.rs.container.ContainerRequestFilter and javax.ws.rs.container.Contai

相关标签:
1条回答
  • 2021-01-16 23:16

    Firstly, these are request headers you are showing, not response headers, which it seems like you are saying they are.

    What you are showing here are the headers from the CORS preflight request, not the actual request. The preflight request is a request that the browser performs before the actual request, verifying with the server that the request is allowed. If the preflight is approved, then the real request will be made. In the preflight, the browser is asking the server if it will allow those listed headers. This is in the request header access-control-request-headers. Similarly it uses the access-control-request-method to ask the server if it will allow GET method calls.

    In the response to the CORS preflight request, the server should respond with headers to those confirm that the request is acceptable. The response should include the following headers

    • Access-Control-Allow-Origin - this is in response to the Origin preflight request header. The value should include the value of the Origin or * to allow all origins. This tells the browser that the origin is allowed.

    • Access-Control-Allow-Headers - this is in response to the access-control-request-headers preflight request header. The value should be a comma separated list of at least all the headers that the browser requested. If any of them are missing, the the preflight request will fail.

    • Access-Control-Allow-Methods - this is in response to the access-control-request-method preflight request header. The value should be at least the method requested, or usually a list of methods allowed.

    If you look at this post, you will see that a ContainerResponseFilter is used to handle the return of this preflight request by adding all the required headers to pass the preflight verification.

    @Provider
    public class CORSFilter implements ContainerResponseFilter {
    
        @Override
        public void filter(ContainerRequestContext request,
                           ContainerResponseContext response) throws IOException {
    
            response.getHeaders().add("Access-Control-Allow-Origin", "*");
            response.getHeaders().add("Access-Control-Allow-Headers",
                    "origin, content-type, accept, authorization");
            response.getHeaders().add("Access-Control-Allow-Credentials", "true");
            response.getHeaders().add("Access-Control-Allow-Methods",
                    "GET, POST, PUT, DELETE, OPTIONS, HEAD");
        }
    }
    

    In your case, you would want to add the headers x-api-key,x-api-secret,x-request-id to the list in the Access-Control-Allow-Headers. These values tell the browser that it is OK to send these headers.

    After the preflight request is a success, then the browser will send the actual request. If the preflight failed, then usually the browser will give you a hint as to which verifications failed.

    0 讨论(0)
提交回复
热议问题