Spring Boot 中遇到Insecure CORS configuration跨域问题

问题描述：

由于跨域使用了CORS(Cross-Origin ResourceSharing)这个技术，当Access-Control-Allow-Origin设置为*的时候，容易遭到攻击。

解决方案：

方案一：

将Access-Control-Allow-Origin设置为固定的访问URL,springboot框架中，可以使用@CrossOrigin注解，在方法的上打上这个注解。

例如：@CrossOrigin(origin= {“https://1.202.96.16:444”,”null”})

方案二：

设置响应的头信息

例如：HttpServletResponseresponse

Response.setHeader(“Access-Control-Allow-Origin”,”https://1.202.96.16:444”);

方案三：

通过写一个过滤器来进行设置响应头，并且对获取到的Access-Control-Allow-Origin这个头信息进行验证，如果验证没有通过则将此头信息设置为空。

importlombok.extern.slf4j.Slf4j; @WebFilter(urlPatterns="/*") @Slf4j publicclass CorsFilter implements Filter { @Override publicvoid destroy() {} public void doFilter(ServletRequest req, ServletResponse res,FilterChain chain) throws IOException, ServletException { HttpServletResponse response = (HttpServletResponse) res; HttpServletRequest reqs = (HttpServletRequest) req; String header = reqs.getHeader("Origin"); if (!PubFunc.isNull(header)) { String[]split = header.split(":"); if(split.length> 1){ Stringreplace = split[1].replace("//", ""); if("https".equals(split[0]) &&FuncUtil.Isipv4(replace) ) { response.setHeader("Access-Control-Allow-Origin",header); response.setHeader("Access-Control-Allow-Credentials","true"); response.setHeader("Access-Control-Allow-Methods","POST, GET, DELETE"); response.setHeader("Access-Control-Max-Age", "3600"); response.setHeader("Access-Control-Allow-Headers","x-requested-with"); }else{ response.setHeader("Access-Control-Allow-Origin",""); } }else{ response.setHeader("Access-Control-Allow-Origin",""); } }else{ response.setHeader("Access-Control-Allow-Origin",""); } chain.doFilter(reqs, response); } @Override publicvoid init(FilterConfig arg0) throws ServletException {} }

由于项目中还有一个过滤器（LoginFilter）也对此头信息有设置，所以也需要进行头信息的验证设置。

protectedvoid send(HttpServletRequest request, HttpServletResponseresponse, Object args){ response.setCharacterEncoding("UTF-8"); response.setContentType("application/json"); Stringheader = request.getHeader("Origin"); if(!PubFunc.isNull(header)) { String[]split = header.split(":"); if(split.length> 1){ Stringreplace = split[1].replace("//", ""); if("https".equals(split[0]) &&FuncUtil.Isipv4(replace) ) { response.setHeader("Access-Control-Allow-Origin",header); response.setHeader("Access-Control-Allow-Credentials","true"); response.setHeader("Access-Control-Allow-Methods","POST, GET, DELETE"); response.setHeader("Access-Control-Max-Age", "3600"); response.setHeader("Access-Control-Allow-Headers","x-requested-with"); }else{ response.setHeader("Access-Control-Allow-Origin",null); } }else{ response.setHeader("Access-Control-Allow-Origin",null); } }else{ response.setHeader("Access-Control-Allow-Origin",null); } //response.setHeader("Access-Control-Allow-Origin","http://127.0.0.1"); response.setHeader("Access-Control-Allow-Credentials","true"); 。。。。。。。。。。省略号。。。。。。。。。。。。。。。。。。 }

注意：

增加完过滤器以后，需要在入口类上加上一个注解(@ServletComponentScan)就可以使用了

是否为Ip的验证

 public static boolean Isipv4(String ipv4){  
        if(PubFunc.isNull(ipv4)){  
            return true;//字符串为空或者空串  
            }  
        String regex = "^(1\\d{2}|2[0-4]\\d|25[0-5]|[1-9]\\d|[1-9])\\."
                + "(1\\d{2}|2[0-4]\\d|25[0-5]|[1-9]\\d|\\d)\\."
                + "(1\\d{2}|2[0-4]\\d|25[0-5]|[1-9]\\d|\\d)\\."
                + "(1\\d{2}|2[0-4]\\d|25[0-5]|[1-9]\\d|\\d)$";
        // 判断ip地址是否与正则表达式匹配
        if (ipv4.matches(regex)) {
            // 返回判断信息
            return true;
        } else {
            // 返回判断信息
            return false;
        }
    }

此问题的修复还有其他两种配置的方式（链接下有不同类对Tomcat进行设置）：https://www.cnblogs.com/softidea/p/5751596.html