研发图纸管理
blame | 历史 | 原始文档
lxw
2022-09-02 84fe36be10c7893e900ddce0b239c7b5b6a6c1a3 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

package com.whyc.filter;


 


import javax.servlet.*;


import javax.servlet.annotation.WebFilter;


import javax.servlet.http.HttpServletRequest;


import javax.servlet.http.HttpServletRequestWrapper;


import javax.servlet.http.HttpServletResponse;


import java.io.IOException;


 


/**


 * @Description :


 * @date 2020/09/11


 **/


@WebFilter


public class CrossDomainFilter implements Filter {


 


 


    @Override


    public void init(FilterConfig filterConfig) throws ServletException {


        System.out.println("执行了过滤器CrossDomainFilter");


    }


 


    @Override


    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {


        HttpServletResponse resp= (HttpServletResponse) response;


        HttpServletRequest req= (HttpServletRequest) request;


        String origin = req.getHeader("Origin");


        // String origin = "http://localhost:8080";


        resp.setHeader("Access-Control-Allow-Origin", origin);


        resp.setHeader("Access-Control-Allow-Headers", "X-Requested-With,content-type,token");


        resp.setHeader("Access-Control-Expose-Headers", "content-disposition");


        resp.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH");


        resp.setHeader("Access-Control-Allow-Credentials", "true");


 


        //处理响应头缺失,信息漏洞


        resp.addHeader("X-Frame-Options","SAMEORIGIN");


        resp.addHeader("Referrer-Policy","origin");


        resp.addHeader("Content-Security-Policy","object-src 'self'");


        resp.addHeader("X-Permitted-Cross-Domain-Policies","master-only");


        resp.addHeader("X-Content-Type-Options","nosniff");


        resp.addHeader("X-XSS-Protection","1; mode=block");


        resp.addHeader("X-Download-Options","noopen");


        resp.addHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload");


 


        //单页面应用,只允许一个页面index.html


        String servletPath = req.getServletPath();


        if(servletPath.contains(".html")){


            if(!servletPath.equals("/index.html") && !servletPath.equals("/doc.html") && !servletPath.equals("/mobile/index.html")){


                resp.setStatus(202);


                return;


            }


            HttpServletRequestWrapper wrapper = new HttpServletRequestWrapper((HttpServletRequest)req);


            if(servletPath.equals("/index.html") && req.getParameter("n") == null) {


                RequestDispatcher dispatcher = wrapper.getRequestDispatcher("/");


                dispatcher.forward(request, resp);


                return;


            }


        }


 


        chain.doFilter(request, resp);


    }


 


    @Override


    public void destroy() {


 


    }


}