Merge remote-tracking branch 'origin/matser' into matser

ibps-basic-root/modules/basic-swagger/src/main/java/com/lc/ibps/cloud/swagger/SwaggerConfig.java

@@ -40,7 +40,7 @@ public class SwaggerConfig {
 	private String docs = "v2/api-docs";
 	
 	public static final String disableKey = "swagger.disable";
-	private boolean disable = false;
+	private boolean disable = true;
 	
 	public static final String versionKey = "app.version";
 	private String version;

ibps-comp-root/modules/comp-raqsoft-web/src/main/webapp/WEB-INF/web.xml

@@ -302,4 +302,14 @@
 	<session-config>
 		<session-timeout>30</session-timeout>
 	</session-config>
+	<!-- 禁用 TRACE/TRACK方法 -->
+	<security-constraint>
+		<web-resource-collection>
+			<web-resource-name>Deny TRACE/TRACK</web-resource-name>
+			<url-pattern>/*</url-pattern>
+			<http-method>TRACE</http-method>
+			<http-method>TRACK</http-method>
+		</web-resource-collection>
+		<auth-constraint/>
+	</security-constraint>
 </web-app>

ibps-provider-root/modules/provider-business/src/main/java/com/lc/ibps/filter/CORSFilter.java

@@ -0,0 +1,142 @@
+package com.lc.ibps.filter;
+
+import com.lc.ibps.base.core.util.BeanUtils;
+import com.lc.ibps.base.framework.table.ICommonDao;
+import org.activiti.engine.impl.asyncexecutor.AcquireTimerJobsRunnable;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Component;
+
+import javax.annotation.Resource;
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.Map;
+/**
+ * cros跨域访问和host头控制
+ *
+* */
+@Component
+public class CORSFilter implements Filter {
+    private static Logger log = LoggerFactory.getLogger(CORSFilter.class);
+
+    @Resource
+    private ICommonDao<?> commonDao;
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    @Override
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+        HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
+        HttpServletResponse response = (HttpServletResponse) servletResponse;
+
+        String requestPath = httpRequest.getRequestURI();
+        if ("/health".equals(requestPath) || "/ping".equals(requestPath)) {
+            // 是心跳检查请求
+            filterChain.doFilter(httpRequest, response);
+            return;
+        }
+        /**Host头验证*/
+        String hostHeader = httpRequest.getHeader("Host");
+        if (hostHeader != null) {
+            // 从配置中获取允许的host列表（可以同样使用数据库配置）
+            String hostSql = " select id_,biao_ti_,can_shu_zhi_1_ from t_zlcsb where shi_fou_qi_yong_ = 1 and jian_zhi_='%s'";
+            hostSql = String.format(hostSql,"HOST");
+            Map<String,Object> hostzlcs = commonDao.queryOne(hostSql);
+            if(BeanUtils.isNotEmpty(hostzlcs)){
+                //获取白名单配置
+                String bmd = BeanUtils.isNotEmpty(hostzlcs.get("can_shu_zhi_1_")) ?
+                        (String)hostzlcs.get("can_shu_zhi_1_") : "";
+                // 提取主机名（去掉端口）
+                String requestHost = hostHeader.split(":")[0];
+                if (!bmd.contains(requestHost)) {
+                    log.warn("白名单{}->非法Host头: {}",bmd, hostHeader);
+                    response.setStatus(HttpServletResponse.SC_FORBIDDEN);//403
+                    response.getWriter().write("Invalid Host header not allowed");
+                    return;
+                }
+            }
+        }
+        // === Host头验证结束 ===
+//		response.setHeader("Access-Control-Allow-Origin", "*");
+//      response.setHeader("Access-Control-Max-Age", "3600");
+//		response.setHeader("Access-Control-Allow-Headers", "accept, origin, content-type,x-requested-with,X-Authorization-access_token");
+//		response.setHeader("Access-Control-Allow-Credentials", "true");
+//		response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
+        /**Origin验证*/
+        // 1. 获取请求的 Origin（跨域请求会带这个头）
+        String origin = httpRequest.getHeader("Origin");
+
+        // 2. 不存在启用的CORS跨域白名单配置,直接跳过
+        String sql = " select id_,biao_ti_,can_shu_zhi_1_ from t_zlcsb where shi_fou_qi_yong_ = 1 and jian_zhi_='%s'";
+        sql = String.format(sql,"CORS");
+        Map<String,Object> corszlcs = commonDao.queryOne(sql);
+        if(BeanUtils.isEmpty(corszlcs)){
+            filterChain.doFilter(httpRequest, response);
+            return;
+        }
+        //3.无Origin头（同源请求或非浏览器请求）,跳过
+        if (origin == null) {
+            filterChain.doFilter(httpRequest, response);
+            return;
+        }
+        //获取白名单配置
+        String bmd = BeanUtils.isNotEmpty(corszlcs.get("can_shu_zhi_1_")) ?
+                (String)corszlcs.get("can_shu_zhi_1_") : "";
+
+        //4.非同源请求且开启了跨域白名单配置，校验请求是否为白名单
+        // 提取请求来源的协议+域名（不含端口和路径）
+        String requestDomain = extractBaseDomain(origin);
+        String serverDomain = extractBaseDomain(httpRequest.getRequestURL().toString());
+
+        // 有Origin头（可能是跨域）
+        //String currentDomain = httpRequest.getScheme() + "://" + httpRequest.getServerName();
+        String currentDomain =  httpRequest.getServerName();
+
+        if (requestDomain.equals(currentDomain)) {
+            // 情况2：同源请求（协议+域名相同，端口不同也视为同源）
+            filterChain.doFilter(httpRequest, response);
+        } else if (bmd.contains(requestDomain)) {
+            // 情况3：合法的跨域请求（白名单）
+            // 处理预检请求
+         /*   if ("OPTIONS".equalsIgnoreCase(httpRequest.getMethod())) {
+                response.setStatus(HttpServletResponse.SC_OK);
+                return;
+            }*/
+            filterChain.doFilter(httpRequest, response);
+        } else {
+            // 情况4：非法的跨域请求
+            log.warn("跨域请求被拒绝：{} → {}", origin, httpRequest.getRequestURI());
+            log.warn("requestDomain：{} → serverDomain:{}->currentDomain:{}", requestDomain, httpRequest.getRequestURI(),currentDomain);
+            response.setStatus(HttpServletResponse.SC_FORBIDDEN);//403
+            response.getWriter().write("Cross-origin request not allowed");
+        }
+    }
+
+    @Override
+    public void destroy() {
+
+    }
+
+    // 辅助方法：提取主域名（忽略端口和路径）
+    private String extractBaseDomain(String url) {
+        try {
+            URI uri = new URI(url);
+            String domain = uri.getHost();
+            // 处理可能是IP地址的情况
+            if (domain == null) {
+                domain = url.replaceFirst("^(https?://[^:/]+).*", "$1");
+            }
+            // 转换为小写避免大小写问题
+            return domain.toLowerCase();
+        } catch (URISyntaxException e) {
+            return url.replaceFirst("^(https?://[^:/]+).*", "$1").toLowerCase();
+        }
+    }
+}