java代码
package com.thinkgem.jeesite.common.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class CharsetFilter implements Filter {
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
//必须
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
//实际设置
response.setHeader("X-FRAME-OPTIONS", "SAMEORIGIN");
response.addHeader("X-Permitted-Cross-Domain-Policies","master-only");
response.addHeader("X-Download-Options","noopen");
response.addHeader("X-Content-Type-Options","nosniff");
response.addHeader("Referrer-Policy","no-referrer");
//调用下一个过滤器(这是过滤器工作原理,不用动)
chain.doFilter(request, response);
}
public void init(FilterConfig config) throws ServletException {
}
public void destroy() {
}
}
web.xml配置
<!-- 设置Frame头,防止被嵌套 -->
<filter>
<filter-name>FrameFilter</filter-name>
<filter-class>com.thinkgem.jeesite.common.filter.CharsetFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>FrameFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
修改WEB应用的web.xml部署文件,插入限制请求方法的代码
<!--启用了不安全的方法的解决 -->
<!-- close insecure http methods -->
<security-constraint>
<web-resource-collection>
<web-resource-name>fortune</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint> </auth-constraint>
</security-constraint>
标签解释
<security-constraint>用于限制对资源的访问;
<auth-constraint>用于限制那些角色可以访问资源,这里设置为空就是禁止所有角色用户访问;
<url-pattern>指定需要验证的资源
<http-method>指定那些方法需要验证