问题描述:
由于跨域使用了CORS(Cross-Origin ResourceSharing)这个技术,当Access-Control-Allow-Origin设置为*的时候,容易遭到攻击。
解决方案:
方案一:
将Access-Control-Allow-Origin设置为固定的访问URL,springboot框架中,可以使用@CrossOrigin注解,在方法的上打上这个注解。
例如:@CrossOrigin(origin= {“https://1.202.96.16:444”,”null”})
方案二:
设置响应的头信息
例如:HttpServletResponseresponse
Response.setHeader(“Access-Control-Allow-Origin”,”https://1.202.96.16:444”);
方案三:
通过写一个过滤器来进行设置响应头,并且对获取到的Access-Control-Allow-Origin这个头信息进行验证,如果验证没有通过则将此头信息设置为空。
importlombok.extern.slf4j.Slf4j;
@WebFilter(urlPatterns="/*")
@Slf4j
publicclass CorsFilter implements Filter {
@Override
publicvoid destroy() {}
public void doFilter(ServletRequest req, ServletResponse res,FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
HttpServletRequest reqs = (HttpServletRequest) req;
String header = reqs.getHeader("Origin");
if (!PubFunc.isNull(header)) {
String[]split = header.split(":");
if(split.length> 1){
Stringreplace = split[1].replace("//", "");
if("https".equals(split[0]) &&FuncUtil.Isipv4(replace) ) {
response.setHeader("Access-Control-Allow-Origin",header);
response.setHeader("Access-Control-Allow-Credentials","true");
response.setHeader("Access-Control-Allow-Methods","POST, GET, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers","x-requested-with");
}else{
response.setHeader("Access-Control-Allow-Origin","");
}
}else{
response.setHeader("Access-Control-Allow-Origin","");
}
}else{
response.setHeader("Access-Control-Allow-Origin","");
}
chain.doFilter(reqs, response);
}
@Override
publicvoid init(FilterConfig arg0) throws ServletException {}
}
由于项目中还有一个过滤器(LoginFilter)也对此头信息有设置,所以也需要进行头信息的验证设置。
protectedvoid send(HttpServletRequest request, HttpServletResponseresponse, Object args){
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json");
Stringheader = request.getHeader("Origin");
if(!PubFunc.isNull(header)) {
String[]split = header.split(":");
if(split.length> 1){
Stringreplace = split[1].replace("//", "");
if("https".equals(split[0]) &&FuncUtil.Isipv4(replace) ) {
response.setHeader("Access-Control-Allow-Origin",header);
response.setHeader("Access-Control-Allow-Credentials","true");
response.setHeader("Access-Control-Allow-Methods","POST, GET, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers","x-requested-with");
}else{
response.setHeader("Access-Control-Allow-Origin",null);
}
}else{
response.setHeader("Access-Control-Allow-Origin",null);
}
}else{
response.setHeader("Access-Control-Allow-Origin",null);
}
//response.setHeader("Access-Control-Allow-Origin","http://127.0.0.1");
response.setHeader("Access-Control-Allow-Credentials","true");
。。。。。。。。。。省略号。。。。。。。。。。。。。。。。。。
}
注意:
增加完过滤器以后,需要在入口类上加上一个注解(@ServletComponentScan)就可以使用了
是否为Ip的验证
public static boolean Isipv4(String ipv4){
if(PubFunc.isNull(ipv4)){
return true;//字符串为空或者空串
}
String regex = "^(1\\d{2}|2[0-4]\\d|25[0-5]|[1-9]\\d|[1-9])\\."
+ "(1\\d{2}|2[0-4]\\d|25[0-5]|[1-9]\\d|\\d)\\."
+ "(1\\d{2}|2[0-4]\\d|25[0-5]|[1-9]\\d|\\d)\\."
+ "(1\\d{2}|2[0-4]\\d|25[0-5]|[1-9]\\d|\\d)$";
// 判断ip地址是否与正则表达式匹配
if (ipv4.matches(regex)) {
// 返回判断信息
return true;
} else {
// 返回判断信息
return false;
}
}
此问题的修复还有其他两种配置的方式(链接下有不同类对Tomcat进行设置):https://www.cnblogs.com/softidea/p/5751596.html |