监控台
blame | 历史 | 补丁 | 提交 | 提交对比 | ignore whitespace
whyclxw
2024-07-01 0ce771b4a4ff5897dc91bb1b84a4561781b00ca5 
 src/main/java/com/whyc/filter/CrossDomainFilter.java


@@ -1,11 +1,17 @@


package com.whyc.filter;




import com.whyc.constant.YamlProperties;


import org.apache.commons.lang3.StringUtils;




import javax.servlet.*;


import javax.servlet.annotation.WebFilter;


import javax.servlet.http.HttpServletRequest;


import javax.servlet.http.HttpServletRequestWrapper;


import javax.servlet.http.HttpServletResponse;


import java.io.IOException;


import java.util.Arrays;


import java.util.LinkedList;


import java.util.List;




/**


 * @Description :


@@ -25,12 +31,21 @@


        HttpServletResponse resp= (HttpServletResponse) response;


        HttpServletRequest req= (HttpServletRequest) request;


        String origin = req.getHeader("Origin");


        // String origin = "http://localhost:8080";


        resp.setHeader("Access-Control-Allow-Origin", origin);


        resp.setHeader("Access-Control-Allow-Headers", "X-Requested-With,content-type,token");


        resp.setHeader("Access-Control-Expose-Headers", "content-disposition");


        resp.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH");


        resp.setHeader("Access-Control-Allow-Credentials", "true");


        if(StringUtils.isNotBlank(origin)) { //没有origin来源,不允许跨域设置


            String allowedCORSDomainList = YamlProperties.allowedCORSDomainList;


            List<String> allowedList = new LinkedList<>();


            if (!allowedCORSDomainList.equals("")) { //存在跨域白名单,判断,设置


                String[] allowedCORSDomain = allowedCORSDomainList.split(",");


                allowedList = Arrays.asList(allowedCORSDomain);


                if (allowedList.contains(origin)) {


                    resp.setHeader("Access-Control-Allow-Origin", origin);


                    resp.setHeader("Access-Control-Allow-Headers", "X-Requested-With,content-type,token");


                    //resp.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH");


                    resp.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, TRACE, PATCH");


                    resp.setHeader("Access-Control-Allow-Credentials", "true");


                }


            }


        }




        //处理响应头缺失,信息漏洞


        resp.addHeader("X-Frame-Options","SAMEORIGIN");