package com.whyc.filter;
|
|
import com.whyc.constant.YamlProperties;
|
import org.apache.commons.lang3.StringUtils;
|
|
import javax.servlet.*;
|
import javax.servlet.annotation.WebFilter;
|
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletRequestWrapper;
|
import javax.servlet.http.HttpServletResponse;
|
import java.io.IOException;
|
import java.util.Arrays;
|
import java.util.LinkedList;
|
import java.util.List;
|
|
/**
|
* @Description :
|
* @date 2020/09/11
|
**/
|
@WebFilter
|
public class CrossDomainFilter implements Filter {
|
|
|
@Override
|
public void init(FilterConfig filterConfig) throws ServletException {
|
System.out.println("执行了过滤器CrossDomainFilter");
|
}
|
|
@Override
|
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
|
HttpServletResponse resp= (HttpServletResponse) response;
|
HttpServletRequest req= (HttpServletRequest) request;
|
String origin = req.getHeader("Origin");
|
if(StringUtils.isNotBlank(origin)) { //没有origin来源,不允许跨域设置
|
String allowedCORSDomainList = YamlProperties.allowedCORSDomainList;
|
List<String> allowedList = new LinkedList<>();
|
if (!allowedCORSDomainList.equals("")) { //存在跨域白名单,判断,设置
|
String[] allowedCORSDomain = allowedCORSDomainList.split(",");
|
allowedList = Arrays.asList(allowedCORSDomain);
|
if (allowedList.contains(origin)) {
|
resp.setHeader("Access-Control-Allow-Origin", origin);
|
resp.setHeader("Access-Control-Allow-Headers", "X-Requested-With,content-type,token");
|
//resp.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH");
|
//resp.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, TRACE, PATCH");
|
resp.setHeader("Access-Control-Allow-Methods", "GET, POST");
|
resp.setHeader("Access-Control-Allow-Credentials", "true");
|
}
|
}
|
}
|
|
//只准使用GET,POST
|
String method = req.getMethod().toUpperCase();
|
String profileType = YamlProperties.profileType;
|
if(!profileType.contains("dev") && !(method.equals("GET")||method.equals("POST"))){
|
resp.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
|
response.setContentType("text/html;charset=utf-8");
|
response.getWriter().write("不安全的请求");
|
return;
|
}
|
//处理响应头缺失,信息漏洞
|
/*resp.addHeader("X-Frame-Options","SAMEORIGIN");
|
resp.addHeader("Referrer-Policy","origin");
|
resp.addHeader("Content-Security-Policy","object-src 'self'");
|
resp.addHeader("X-Permitted-Cross-Domain-Policies","master-only");
|
resp.addHeader("X-Content-Type-Options","nosniff");
|
resp.addHeader("X-XSS-Protection","1; mode=block");
|
resp.addHeader("X-Download-Options","noopen");
|
resp.addHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload");*/
|
resp.setHeader("X-Frame-Options","SAMEORIGIN");
|
resp.setHeader("Referrer-Policy","origin");
|
resp.setHeader("Content-Security-Policy","object-src 'self'");
|
resp.setHeader("X-Permitted-Cross-Domain-Policies","master-only");
|
resp.setHeader("X-Content-Type-Options","nosniff");
|
resp.setHeader("X-XSS-Protection","1; mode=block");
|
resp.setHeader("X-Download-Options","noopen");
|
resp.setHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload");
|
|
//单页面应用,只允许一个页面index.html
|
String servletPath = req.getServletPath();
|
if(servletPath.contains(".html")){
|
if(!servletPath.equals("/index.html") && !servletPath.equals("/doc.html") && !servletPath.equals("/mobile/index.html")){
|
resp.setStatus(202);
|
return;
|
}
|
HttpServletRequestWrapper wrapper = new HttpServletRequestWrapper((HttpServletRequest)req);
|
if(servletPath.equals("/index.html") && req.getParameter("n") == null) {
|
RequestDispatcher dispatcher = wrapper.getRequestDispatcher("/");
|
dispatcher.forward(request, resp);
|
return;
|
}
|
}
|
|
chain.doFilter(request, resp);
|
}
|
|
@Override
|
public void destroy() {
|
|
}
|
}
|
