问题描述:
由于跨域使用了CORS(Cross-Origin ResourceSharing)这个技术,当Access-Control-Allow-Origin设置为*的时候,容易遭到攻击。
解决方案:
方案一:
将Access-Control-Allow-Origin设置为固定的访问URL,springboot框架中,可以使用@CrossOrigin注解,在方法的上打上这个注解。
例如:@CrossOrigin(origin= {“https://1.202.96.16:444”,”null”})
方案二:
设置响应的头信息
例如:HttpServletResponseresponse
Response.setHeader(“Access-Control-Allow-Origin”,”https://1.202.96.16:444”);
方案三:
通过写一个过滤器来进行设置响应头,并且对获取到的Access-Control-Allow-Origin这个头信息进行验证,如果验证没有通过则将此头信息设置为空。
importlombok.extern.slf4j.Slf4j; @WebFilter(urlPatterns="/*") @Slf4j publicclass CorsFilter implements Filter { @Override publicvoid destroy() {} public void doFilter(ServletRequest req, ServletResponse res,FilterChain chain) throws IOException, ServletException { HttpServletResponse response = (HttpServletResponse) res; HttpServletRequest reqs = (HttpServletRequest) req; String header = reqs.getHeader("Origin"); if (!PubFunc.isNull(header)) { String[]split = header.split(":"); if(split.length> 1){ Stringreplace = split[1].replace("//", ""); if("https".equals(split[0]) &&FuncUtil.Isipv4(replace) ) { response.setHeader("Access-Control-Allow-Origin",header); response.setHeader("Access-Control-Allow-Credentials","true"); response.setHeader("Access-Control-Allow-Methods","POST, GET, DELETE"); response.setHeader("Access-Control-Max-Age", "3600"); response.setHeader("Access-Control-Allow-Headers","x-requested-with"); }else{ response.setHeader("Access-Control-Allow-Origin",""); } }else{ response.setHeader("Access-Control-Allow-Origin",""); } }else{ response.setHeader("Access-Control-Allow-Origin",""); } chain.doFilter(reqs, response); } @Override publicvoid init(FilterConfig arg0) throws ServletException {} } |
由于项目中还有一个过滤器(LoginFilter)也对此头信息有设置,所以也需要进行头信息的验证设置。
protectedvoid send(HttpServletRequest request, HttpServletResponseresponse, Object args){ response.setCharacterEncoding("UTF-8"); response.setContentType("application/json"); Stringheader = request.getHeader("Origin"); if(!PubFunc.isNull(header)) { String[]split = header.split(":"); if(split.length> 1){ Stringreplace = split[1].replace("//", ""); if("https".equals(split[0]) &&FuncUtil.Isipv4(replace) ) { response.setHeader("Access-Control-Allow-Origin",header); response.setHeader("Access-Control-Allow-Credentials","true"); response.setHeader("Access-Control-Allow-Methods","POST, GET, DELETE"); response.setHeader("Access-Control-Max-Age", "3600"); response.setHeader("Access-Control-Allow-Headers","x-requested-with"); }else{ response.setHeader("Access-Control-Allow-Origin",null); } }else{ response.setHeader("Access-Control-Allow-Origin",null); } }else{ response.setHeader("Access-Control-Allow-Origin",null); } //response.setHeader("Access-Control-Allow-Origin","http://127.0.0.1"); response.setHeader("Access-Control-Allow-Credentials","true"); 。。。。。。。。。。省略号。。。。。。。。。。。。。。。。。。 } |
注意:
增加完过滤器以后,需要在入口类上加上一个注解(@ServletComponentScan)就可以使用了
是否为Ip的验证
public static boolean Isipv4(String ipv4){
if(PubFunc.isNull(ipv4)){
return true;//字符串为空或者空串
}
String regex = "^(1\\d{2}|2[0-4]\\d|25[0-5]|[1-9]\\d|[1-9])\\."
+ "(1\\d{2}|2[0-4]\\d|25[0-5]|[1-9]\\d|\\d)\\."
+ "(1\\d{2}|2[0-4]\\d|25[0-5]|[1-9]\\d|\\d)\\."
+ "(1\\d{2}|2[0-4]\\d|25[0-5]|[1-9]\\d|\\d)$";
// 判断ip地址是否与正则表达式匹配
if (ipv4.matches(regex)) {
// 返回判断信息
return true;
} else {
// 返回判断信息
return false;
}
}
此问题的修复还有其他两种配置的方式(链接下有不同类对Tomcat进行设置):https://www.cnblogs.com/softidea/p/5751596.html |