package com.whyc.filter; import com.whyc.constant.YamlProperties; import org.apache.commons.lang3.StringUtils; import javax.servlet.*; import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.Arrays; import java.util.LinkedList; import java.util.List; /** * @Description : * @date 2020/09/11 **/ @WebFilter public class CrossDomainFilter implements Filter { @Override public void init(FilterConfig filterConfig) throws ServletException { System.out.println("执行了过滤器CrossDomainFilter"); } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletResponse resp= (HttpServletResponse) response; HttpServletRequest req= (HttpServletRequest) request; String origin = req.getHeader("Origin"); if(StringUtils.isNotBlank(origin)) { //没有origin来源,不允许跨域设置 String allowedCORSDomainList = YamlProperties.allowedCORSDomainList; List allowedList = new LinkedList<>(); if (!allowedCORSDomainList.equals("")) { //存在跨域白名单,判断,设置 String[] allowedCORSDomain = allowedCORSDomainList.split(","); allowedList = Arrays.asList(allowedCORSDomain); if (allowedList.contains(origin)) { resp.setHeader("Access-Control-Allow-Origin", origin); resp.setHeader("Access-Control-Allow-Headers", "X-Requested-With,content-type,token"); //resp.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH"); //resp.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, TRACE, PATCH"); resp.setHeader("Access-Control-Allow-Methods", "GET, POST"); resp.setHeader("Access-Control-Allow-Credentials", "true"); } } } //只准使用GET,POST String method = req.getMethod().toUpperCase(); String profileType = YamlProperties.profileType; if(!profileType.contains("dev") && !(method.equals("GET")||method.equals("POST"))){ resp.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED); response.setContentType("text/html;charset=utf-8"); response.getWriter().write("不安全的请求"); return; } //处理响应头缺失,信息漏洞 /*resp.addHeader("X-Frame-Options","SAMEORIGIN"); resp.addHeader("Referrer-Policy","origin"); resp.addHeader("Content-Security-Policy","object-src 'self'"); resp.addHeader("X-Permitted-Cross-Domain-Policies","master-only"); resp.addHeader("X-Content-Type-Options","nosniff"); resp.addHeader("X-XSS-Protection","1; mode=block"); resp.addHeader("X-Download-Options","noopen"); resp.addHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload");*/ resp.setHeader("X-Frame-Options","SAMEORIGIN"); resp.setHeader("Referrer-Policy","origin"); resp.setHeader("Content-Security-Policy","object-src 'self'"); resp.setHeader("X-Permitted-Cross-Domain-Policies","master-only"); resp.setHeader("X-Content-Type-Options","nosniff"); resp.setHeader("X-XSS-Protection","1; mode=block"); resp.setHeader("X-Download-Options","noopen"); resp.setHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload"); resp.setHeader("Access-Control-Expose-Headers", "Content-Disposition"); //单页面应用,只允许一个页面index.html String servletPath = req.getServletPath(); if(servletPath.contains(".html")){ if(!servletPath.equals("/index.html") && !servletPath.equals("/doc.html") && !servletPath.equals("/mobile/index.html")){ resp.setStatus(202); return; } HttpServletRequestWrapper wrapper = new HttpServletRequestWrapper((HttpServletRequest)req); if(servletPath.equals("/index.html") && req.getParameter("n") == null) { RequestDispatcher dispatcher = wrapper.getRequestDispatcher("/"); dispatcher.forward(request, resp); return; } } chain.doFilter(request, resp); } @Override public void destroy() { } }