fg_v2.0.git - Gitblit

			@@ -1,12 +1,18 @@
			package com.whyc.filter;

			import com.whyc.constant.YamlProperties;
			import org.apache.commons.lang3.StringUtils;
			import org.springframework.core.annotation.Order;

			import javax.servlet.*;
			import javax.servlet.annotation.WebFilter;
			import javax.servlet.http.HttpServletRequest;
			import javax.servlet.http.HttpServletRequestWrapper;
			import javax.servlet.http.HttpServletResponse;
			import java.io.IOException;
			import java.util.Arrays;
			import java.util.LinkedList;
			import java.util.List;

			/**
			* @Description :
			@@ -26,11 +32,65 @@
			HttpServletResponse resp= (HttpServletResponse) response;
			HttpServletRequest req= (HttpServletRequest) request;
			String origin = req.getHeader("Origin");
			// String origin = "http://localhost:8080";
			resp.setHeader("Access-Control-Allow-Origin", origin);
			resp.setHeader("Access-Control-Allow-Headers", "X-Requested-With,content-type,token");
			resp.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH");
			resp.setHeader("Access-Control-Allow-Credentials", "true");
			if(StringUtils.isNotBlank(origin)) { //没有origin来源,不允许跨域设置
			String allowedCORSDomainList = YamlProperties.allowedCORSDomainList;
			List<String> allowedList = new LinkedList<>();
			if (!allowedCORSDomainList.equals("")) { //存在跨域白名单,判断,设置
			String[] allowedCORSDomain = allowedCORSDomainList.split(",");
			allowedList = Arrays.asList(allowedCORSDomain);
			if (allowedList.contains(origin)) {
			resp.setHeader("Access-Control-Allow-Origin", origin);
			resp.setHeader("Access-Control-Allow-Headers", "X-Requested-With,content-type,token");
			//resp.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH");
			//resp.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, TRACE, PATCH");
			resp.setHeader("Access-Control-Allow-Methods", "GET, POST");
			resp.setHeader("Access-Control-Allow-Credentials", "true");
			}
			}
			}

			//只准使用GET,POST
			String method = req.getMethod().toUpperCase();
			String profileType = YamlProperties.profileType;
			if(!profileType.contains("dev") && !(method.equals("GET")\|\|method.equals("POST"))){
			resp.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
			response.setContentType("text/html;charset=utf-8");
			response.getWriter().write("不安全的请求");
			return;
			}
			//处理响应头缺失,信息漏洞
			/*resp.addHeader("X-Frame-Options","SAMEORIGIN");
			resp.addHeader("Referrer-Policy","origin");
			resp.addHeader("Content-Security-Policy","object-src 'self'");
			resp.addHeader("X-Permitted-Cross-Domain-Policies","master-only");
			resp.addHeader("X-Content-Type-Options","nosniff");
			resp.addHeader("X-XSS-Protection","1; mode=block");
			resp.addHeader("X-Download-Options","noopen");
			resp.addHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload");*/
			//resp.setHeader("X-Frame-Options","SAMEORIGIN");
			resp.setHeader("Referrer-Policy","origin");
			resp.setHeader("Content-Security-Policy","object-src 'self'");
			resp.setHeader("X-Permitted-Cross-Domain-Policies","master-only");
			resp.setHeader("X-Content-Type-Options","nosniff");
			resp.setHeader("X-XSS-Protection","1; mode=block");
			resp.setHeader("X-Download-Options","noopen");
			resp.setHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload");


			//单页面应用,只允许一个页面index.html
			String servletPath = req.getServletPath();
			if(servletPath.contains(".html")){
			if(!servletPath.equals("/index.html") && !servletPath.equals("/doc.html") && !servletPath.equals("/mobile/index.html")){
			resp.setStatus(202);
			return;
			}
			HttpServletRequestWrapper wrapper = new HttpServletRequestWrapper((HttpServletRequest)req);
			if(servletPath.equals("/index.html") && req.getParameter("n") == null) {
			RequestDispatcher dispatcher = wrapper.getRequestDispatcher("/");
			dispatcher.forward(request, resp);
			return;
			}
			}

			chain.doFilter(request, resp);
			}