1、common白名单资源绑定。:
import java.util.HashSet;
import java.util.ResourceBundle;
import java.util.Set;
public class AllowOriginConstant {
//本机环境
private static String ENV_LOCALHOST = "0";
//生产环境
private static String ENV_PRODUCTION = "1";
//测试环境
private static String ENV_TEST = "2";
//允许跨域的域名集合set
public static Set<String> originSet = new HashSet<>(16);
private static ResourceBundle resourceBundle;
static {
resourceBundle = ResourceBundle.getBundle("allowOrigin");
if (!isLocalhost()) {
String[] originStr = null;
String envType = resourceBundle.getString("env_type");
if (ENV_PRODUCTION.equals(envType)) { //生产环境
originStr = resourceBundle.getString("origin_prod").split(",");
} else if (ENV_TEST.equals(envType)) {
originStr = resourceBundle.getString("origin_test").split(",");
}
if (null != originStr && originStr.length > 0) {
for (String o : originStr) {
originSet.add(o.trim());
}
}
}
}
/**
* 判断环境是否为本机环境,如果是本机环境,则配置的origin不生效
* @return
*/
public static boolean isLocalhost() {
String envType = resourceBundle.getString("env_type");
if (ENV_LOCALHOST.equals(envType)) {
return true;
}
return false;
}
}
2、common资源文件绑定。
3、资源文件内容白名单设置。
资源文件内容: env_type=1 origin_prod= https://xxxx.xxxxx12.cn,\ https://xxxx.xxxx123.cn,\ https://xxxx.xxxxx13245.cn,\ https://xxx.xxxxxxxxx1234.cn
4、项目引用白名单校验。
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class CorsFilter implements Filter {
FilterConfig filterConfig = null;
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
public void destroy() {
this.filterConfig = null;
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest requestChain = (HttpServletRequest) request;
HttpServletResponse responseChain = (HttpServletResponse) response;
//cors 跨域
if (!AllowOriginConstant.isLocalhost()) { //非本机环境
String origin = requestChain.getHeader("Origin");
if(AllowOriginConstant.originSet.contains(origin)){
responseChain.addHeader("Access-Control-Allow-Origin", origin);
}
} else { //本机环境
responseChain.addHeader("Access-Control-Allow-Origin", "*");
}
responseChain.addHeader("Access-Control-Allow-Methods", "GET,POST,HEAD,PUT,DELETE");
responseChain.addHeader("Access-Control-Allow-Headers", "Accept,Origin,X-Requested-With,Content-Type,Last-Modified");
responseChain.addHeader("Access-Control-Allow-Credentials", "true");
//http security
//必须匹配MINE类型页面都会被解析
responseChain.addHeader("X-Content-Type-Options", "nosniff");
//SAMEORIGIN:页面只能加载入同源域名下的页面
responseChain.addHeader("X-Frame-Options", "SAMEORIGIN");
//1; mode=block 启用XSS保护,并在检查到XSS攻击时,停止渲染页面
responseChain.addHeader("X-XSS-Protection", "1; mode=block");
responseChain.addHeader("Content-Security-Policy", "default-src * 'unsafe-inline'; style-src * 'unsafe-inline'; img-src * data:; object-src 'self'; script-src * 'unsafe-eval' 'unsafe-inline'; font-src * data:; worker-src * blob:;");
responseChain.addHeader("Referrer-Policy","origin");
responseChain.addHeader("X-Permitted-Cross-Domain-Policies","master-only");
responseChain.addHeader("X-Download-Options","noopen");
responseChain.addHeader("Strict-Transport-Security","max-age=1800; includeSubDomains");
//cookie
responseChain.addHeader("Set-Cookie", "Secure; HttpOnly");
// responseChain.addHeader("Allow", "GET,POST,HEAD,PUT,DELETE");
// 对OPTIONS请求进行拦截处理
if("OPTIONS".equalsIgnoreCase(requestChain.getMethod())){
responseChain.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
ServletOutputStream outputStream = response.getOutputStream();
outputStream.write(new String("无效的请求".getBytes(),"utf-8").getBytes());
outputStream.flush();
}else {
chain.doFilter(requestChain, responseChain);
}
}
}
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
