|
|
@@ -1,142 +0,0 @@
|
|
|
-package com.lc.ibps.filter;
|
|
|
-
|
|
|
-import com.lc.ibps.base.core.util.BeanUtils;
|
|
|
-import com.lc.ibps.base.framework.table.ICommonDao;
|
|
|
-import org.activiti.engine.impl.asyncexecutor.AcquireTimerJobsRunnable;
|
|
|
-import org.slf4j.Logger;
|
|
|
-import org.slf4j.LoggerFactory;
|
|
|
-import org.springframework.stereotype.Component;
|
|
|
-
|
|
|
-import javax.annotation.Resource;
|
|
|
-import javax.servlet.*;
|
|
|
-import javax.servlet.http.HttpServletRequest;
|
|
|
-import javax.servlet.http.HttpServletResponse;
|
|
|
-import java.io.IOException;
|
|
|
-import java.net.URI;
|
|
|
-import java.net.URISyntaxException;
|
|
|
-import java.util.Map;
|
|
|
-/**
|
|
|
- * cros跨域访问和host头控制
|
|
|
- *
|
|
|
-* */
|
|
|
-@Component
|
|
|
-public class CORSFilter implements Filter {
|
|
|
- private static Logger log = LoggerFactory.getLogger(CORSFilter.class);
|
|
|
-
|
|
|
- @Resource
|
|
|
- private ICommonDao<?> commonDao;
|
|
|
-
|
|
|
- @Override
|
|
|
- public void init(FilterConfig filterConfig) throws ServletException {
|
|
|
-
|
|
|
- }
|
|
|
-
|
|
|
- @Override
|
|
|
- public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
|
|
|
- HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
|
|
|
- HttpServletResponse response = (HttpServletResponse) servletResponse;
|
|
|
-
|
|
|
- String requestPath = httpRequest.getRequestURI();
|
|
|
- if ("/health".equals(requestPath) || "/ping".equals(requestPath)) {
|
|
|
- // 是心跳检查请求
|
|
|
- filterChain.doFilter(httpRequest, response);
|
|
|
- return;
|
|
|
- }
|
|
|
- /**Host头验证*/
|
|
|
- String hostHeader = httpRequest.getHeader("Host");
|
|
|
- if (hostHeader != null) {
|
|
|
- // 从配置中获取允许的host列表(可以同样使用数据库配置)
|
|
|
- String hostSql = " select id_,biao_ti_,can_shu_zhi_1_ from t_zlcsb where shi_fou_qi_yong_ = 1 and jian_zhi_='%s'";
|
|
|
- hostSql = String.format(hostSql,"HOST");
|
|
|
- Map<String,Object> hostzlcs = commonDao.queryOne(hostSql);
|
|
|
- if(BeanUtils.isNotEmpty(hostzlcs)){
|
|
|
- //获取白名单配置
|
|
|
- String bmd = BeanUtils.isNotEmpty(hostzlcs.get("can_shu_zhi_1_")) ?
|
|
|
- (String)hostzlcs.get("can_shu_zhi_1_") : "";
|
|
|
- // 提取主机名(去掉端口)
|
|
|
- String requestHost = hostHeader.split(":")[0];
|
|
|
- if (!bmd.contains(requestHost)) {
|
|
|
- log.warn("白名单{}->非法Host头: {}",bmd, hostHeader);
|
|
|
- response.setStatus(HttpServletResponse.SC_FORBIDDEN);//403
|
|
|
- response.getWriter().write("Invalid Host header not allowed");
|
|
|
- return;
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
- // === Host头验证结束 ===
|
|
|
-// response.setHeader("Access-Control-Allow-Origin", "*");
|
|
|
-// response.setHeader("Access-Control-Max-Age", "3600");
|
|
|
-// response.setHeader("Access-Control-Allow-Headers", "accept, origin, content-type,x-requested-with,X-Authorization-access_token");
|
|
|
-// response.setHeader("Access-Control-Allow-Credentials", "true");
|
|
|
-// response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
|
|
|
- /**Origin验证*/
|
|
|
- // 1. 获取请求的 Origin(跨域请求会带这个头)
|
|
|
- String origin = httpRequest.getHeader("Origin");
|
|
|
-
|
|
|
- // 2. 不存在启用的CORS跨域白名单配置,直接跳过
|
|
|
- String sql = " select id_,biao_ti_,can_shu_zhi_1_ from t_zlcsb where shi_fou_qi_yong_ = 1 and jian_zhi_='%s'";
|
|
|
- sql = String.format(sql,"CORS");
|
|
|
- Map<String,Object> corszlcs = commonDao.queryOne(sql);
|
|
|
- if(BeanUtils.isEmpty(corszlcs)){
|
|
|
- filterChain.doFilter(httpRequest, response);
|
|
|
- return;
|
|
|
- }
|
|
|
- //3.无Origin头(同源请求或非浏览器请求),跳过
|
|
|
- if (origin == null) {
|
|
|
- filterChain.doFilter(httpRequest, response);
|
|
|
- return;
|
|
|
- }
|
|
|
- //获取白名单配置
|
|
|
- String bmd = BeanUtils.isNotEmpty(corszlcs.get("can_shu_zhi_1_")) ?
|
|
|
- (String)corszlcs.get("can_shu_zhi_1_") : "";
|
|
|
-
|
|
|
- //4.非同源请求且开启了跨域白名单配置,校验请求是否为白名单
|
|
|
- // 提取请求来源的协议+域名(不含端口和路径)
|
|
|
- String requestDomain = extractBaseDomain(origin);
|
|
|
- String serverDomain = extractBaseDomain(httpRequest.getRequestURL().toString());
|
|
|
-
|
|
|
- // 有Origin头(可能是跨域)
|
|
|
- //String currentDomain = httpRequest.getScheme() + "://" + httpRequest.getServerName();
|
|
|
- String currentDomain = httpRequest.getServerName();
|
|
|
-
|
|
|
- if (requestDomain.equals(currentDomain)) {
|
|
|
- // 情况2:同源请求(协议+域名相同,端口不同也视为同源)
|
|
|
- filterChain.doFilter(httpRequest, response);
|
|
|
- } else if (bmd.contains(requestDomain)) {
|
|
|
- // 情况3:合法的跨域请求(白名单)
|
|
|
- // 处理预检请求
|
|
|
- /* if ("OPTIONS".equalsIgnoreCase(httpRequest.getMethod())) {
|
|
|
- response.setStatus(HttpServletResponse.SC_OK);
|
|
|
- return;
|
|
|
- }*/
|
|
|
- filterChain.doFilter(httpRequest, response);
|
|
|
- } else {
|
|
|
- // 情况4:非法的跨域请求
|
|
|
- log.warn("跨域请求被拒绝:{} → {}", origin, httpRequest.getRequestURI());
|
|
|
- log.warn("requestDomain:{} → serverDomain:{}->currentDomain:{}", requestDomain, httpRequest.getRequestURI(),currentDomain);
|
|
|
- response.setStatus(HttpServletResponse.SC_FORBIDDEN);//403
|
|
|
- response.getWriter().write("Cross-origin request not allowed");
|
|
|
- }
|
|
|
- }
|
|
|
-
|
|
|
- @Override
|
|
|
- public void destroy() {
|
|
|
-
|
|
|
- }
|
|
|
-
|
|
|
- // 辅助方法:提取主域名(忽略端口和路径)
|
|
|
- private String extractBaseDomain(String url) {
|
|
|
- try {
|
|
|
- URI uri = new URI(url);
|
|
|
- String domain = uri.getHost();
|
|
|
- // 处理可能是IP地址的情况
|
|
|
- if (domain == null) {
|
|
|
- domain = url.replaceFirst("^(https?://[^:/]+).*", "$1");
|
|
|
- }
|
|
|
- // 转换为小写避免大小写问题
|
|
|
- return domain.toLowerCase();
|
|
|
- } catch (URISyntaxException e) {
|
|
|
- return url.replaceFirst("^(https?://[^:/]+).*", "$1").toLowerCase();
|
|
|
- }
|
|
|
- }
|
|
|
-}
|
