Problem Description:
Due to the use of CORS (Cross-Origin ResourceSharing) technology across domains, when Access-Control-Allow-Origin is set to * , it is vulnerable to attack.
solution:
Option One:
Set Access-Control-Allow-Origin to a fixed access URL. In the springboot framework, you can use the @CrossOrigin annotation to mark this annotation on the method.
For example: @CrossOrigin(origin={"https://1.202.96.16:444","null"})
Option II:
Set response headers
例如:HttpServletResponseresponse
Response.setHeader(“Access-Control-Allow-Origin”,”https://1.202.96.16:444”);
third solution:
Set the response header by writing a filter, and verify the obtained Access-Control-Allow-Origin header information. If the verification fails, set this header information to empty.
importlombok.extern.slf4j.Slf4j; @WebFilter(urlPatterns="/*") @ Slf4j publicclass CorsFilter implements Filter { @Override publicvoid destroy() {} public void doFilter(ServletRequest req, ServletResponse res,FilterChain chain) throws IOException, ServletException { HttpServletResponse response = (HttpServletResponse) res; HttpServletRequest reqs = (HttpServletRequest) req; String header = reqs.getHeader("Origin"); if (!PubFunc.isNull(header)) { String[]split = header.split(":"); if(split.length> 1){ Stringreplace = split[1].replace("//", ""); if("https".equals(split[0]) &&FuncUtil.Isipv4(replace) ) { response.setHeader("Access-Control-Allow-Origin",header); response.setHeader("Access-Control-Allow-Credentials","true"); response.setHeader("Access-Control-Allow-Methods","POST, GET, DELETE"); response.setHeader("Access-Control-Max-Age", "3600"); response.setHeader("Access-Control-Allow-Headers","x-requested-with"); }else{ response.setHeader("Access-Control-Allow-Origin",""); } }else{ response.setHeader("Access-Control-Allow-Origin",""); } }else{ response.setHeader("Access-Control-Allow-Origin",""); } chain.doFilter(reqs, response); } @Override publicvoid init(FilterConfig arg0) throws ServletException {} } |
Since there is also a filter ( LoginFilter ) in the project that also has settings for this header information, it is also necessary to perform the validation settings of the header information.
protectedvoid send(HttpServletRequest request, HttpServletResponseresponse, Object args){ response.setCharacterEncoding("UTF-8"); response.setContentType("application/json"); Stringheader = request.getHeader("Origin"); if(!PubFunc.isNull(header)) { String[]split = header.split(":"); if(split.length> 1){ Stringreplace = split[1].replace("//", ""); if("https".equals(split[0]) &&FuncUtil.Isipv4(replace) ) { response.setHeader("Access-Control-Allow-Origin",header); response.setHeader("Access-Control-Allow-Credentials","true"); response.setHeader("Access-Control-Allow-Methods","POST, GET, DELETE"); response.setHeader("Access-Control-Max-Age", "3600"); response.setHeader("Access-Control-Allow-Headers","x-requested-with"); }else{ response.setHeader("Access-Control-Allow-Origin",null); } }else{ response.setHeader("Access-Control-Allow-Origin",null); } }else{ response.setHeader("Access-Control-Allow-Origin",null); } //response.setHeader("Access-Control-Allow-Origin","http://127.0.0.1"); response.setHeader("Access-Control-Allow-Credentials","true"); 。。。。。。。。。。省略号。。。。。。。。。。。。。。。。。。 } |
注意:
增加完过滤器以后,需要在入口类上加上一个注解(@ServletComponentScan)就可以使用了
是否为Ip的验证
public static boolean Isipv4(String ipv4){
if(PubFunc.isNull(ipv4)){
return true;//字符串为空或者空串
}
String regex = "^(1\\d{2}|2[0-4]\\d|25[0-5]|[1-9]\\d|[1-9])\\."
+ "(1\\d{2}|2[0-4]\\d|25[0-5]|[1-9]\\d|\\d)\\."
+ "(1\\d{2}|2[0-4]\\d|25[0-5]|[1-9]\\d|\\d)\\."
+ "(1\\d{2}|2[0-4]\\d|25[0-5]|[1-9]\\d|\\d)$";
// 判断ip地址是否与正则表达式匹配
if (ipv4.matches(regex)) {
// 返回判断信息
return true;
} else {
// 返回判断信息
return false;
}
}
此问题的修复还有其他两种配置的方式(链接下有不同类对Tomcat进行设置):https://www.cnblogs.com/softidea/p/5751596.html |