密码验证加-

whyclxw

2025-05-28 e16302f9d475c7cc4dd18c5abf1a23cb5502e362

 src/main/java/com/whyc/filter/CrossDomainFilter.java

@@ -1,5 +1,7 @@
package com.whyc.filter;

import com.whyc.constant.YamlProperties;
import org.apache.commons.lang3.StringUtils;
import org.springframework.core.annotation.Order;

import javax.servlet.*;
@@ -8,6 +10,9 @@
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Arrays;
import java.util.LinkedList;
import java.util.List;

/**
 * @Description :
@@ -27,21 +32,50 @@
        HttpServletResponse resp= (HttpServletResponse) response;
        HttpServletRequest req= (HttpServletRequest) request;
        String origin = req.getHeader("Origin");
        // String origin = "http://localhost:8080";
        resp.setHeader("Access-Control-Allow-Origin", origin);
        resp.setHeader("Access-Control-Allow-Headers", "X-Requested-With,content-type,token");
        resp.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH");
        resp.setHeader("Access-Control-Allow-Credentials", "true");
        if(StringUtils.isNotBlank(origin)) { //没有origin来源,不允许跨域设置
            String allowedCORSDomainList = YamlProperties.allowedCORSDomainList;
            List<String> allowedList = new LinkedList<>();
            if (!allowedCORSDomainList.equals("")) { //存在跨域白名单,判断,设置
                String[] allowedCORSDomain = allowedCORSDomainList.split(",");
                allowedList = Arrays.asList(allowedCORSDomain);
                if (allowedList.contains(origin)) {
                    resp.setHeader("Access-Control-Allow-Origin", origin);
                    resp.setHeader("Access-Control-Allow-Headers", "X-Requested-With,content-type,token");
                    //resp.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH");
                    //resp.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, TRACE, PATCH");
                    resp.setHeader("Access-Control-Allow-Methods", "GET, POST");
                    resp.setHeader("Access-Control-Allow-Credentials", "true");
                }
            }
        }

        //只准使用GET,POST
        String method = req.getMethod().toUpperCase();
        String profileType = YamlProperties.profileType;
        if(!profileType.contains("dev") && !(method.equals("GET")||method.equals("POST"))){
            resp.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
            response.setContentType("text/html;charset=utf-8");
            response.getWriter().write("不安全的请求");
            return;
        }
        //处理响应头缺失,信息漏洞
        resp.addHeader("X-Frame-Options","SAMEORIGIN");
        /*resp.addHeader("X-Frame-Options","SAMEORIGIN");
        resp.addHeader("Referrer-Policy","origin");
        resp.addHeader("Content-Security-Policy","object-src 'self'");
        resp.addHeader("X-Permitted-Cross-Domain-Policies","master-only");
        resp.addHeader("X-Content-Type-Options","nosniff");
        resp.addHeader("X-XSS-Protection","1; mode=block");
        resp.addHeader("X-Download-Options","noopen");
        resp.addHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload");
        resp.addHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload");*/
        //resp.setHeader("X-Frame-Options","SAMEORIGIN");
        resp.setHeader("Referrer-Policy","origin");
        resp.setHeader("Content-Security-Policy","object-src 'self'");
        resp.setHeader("X-Permitted-Cross-Domain-Policies","master-only");
        resp.setHeader("X-Content-Type-Options","nosniff");
        resp.setHeader("X-XSS-Protection","1; mode=block");
        resp.setHeader("X-Download-Options","noopen");
        resp.setHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload");


        //单页面应用,只允许一个页面index.html
        String servletPath = req.getServletPath();