服务端

 /**
  * 请求头自定义字段
 */
public final static String DEFAULT_CORS_HEADER_NAME = "Authorization,Content-Type,XFILENAME,XFILECATEGORY,XFILESIZE,time";
    
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) {
    HttpServletResponse response = (HttpServletResponse) res;
    HttpServletRequest request = (HttpServletRequest) req;
    // 跨域设置，这里的*无效，故使用request.getHeader("Origin")
    response.setHeader("Access-Control-Allow-Origin", request.getHeader("Origin"));
    response.setHeader("Access-Control-Allow-Credentials", "true");
    //允许请求方式
    response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE");
    response.setHeader("Access-Control-Max-Age", "3600");
    //需要放行header头部字段 如需鉴权字段，自行添加，如Authorization
    response.setHeader("Access-Control-Allow-Headers", CommonConst.DEFAULT_CORS_HEADER_NAME);
    // 如不做限制,
    //response.setHeader("Access-Control-Allow-Headers", "x-requested-with,content-type");
    //放行sessionId
    response.setHeader("Access-Control-Expose-Headers", "sessionId");
    try {
      chain.doFilter(request, response);
    } catch (Exception e) {
    }
  }

自定义配置时，需注意w3c规定，当请求的header匹配以下不安全字符时，将被终止

Accept-Charset
  Accept-Encoding
  Connection
  Content-Length
  Cookie
  Cookie2
  Content-Transfer-Encoding
  Date
  Expect
  Host
  Keep-Alive
  Referer
  TE
  Trailer
  Transfer-Encoding
  Upgrade
  User-Agent
  Via

客户端

//axios请求拦截
instance.interceptors.request.use(
    config => {
        let time  = new Date();
        config.headers["Authorization"] = '';
        config.headers['time'] = time;
        return config;
    },
    error => {
        return Promise.reject(error);
    }
);