|
|
@@ -16,7 +16,7 @@ import java.net.URI;
|
|
|
import java.net.URISyntaxException;
|
|
|
import java.util.Map;
|
|
|
/**
|
|
|
- * cros跨域访问
|
|
|
+ * cros跨域访问和host头控制
|
|
|
*
|
|
|
* */
|
|
|
@Component
|
|
|
@@ -36,12 +36,40 @@ public class CORSFilter implements Filter {
|
|
|
HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
|
|
|
HttpServletResponse response = (HttpServletResponse) servletResponse;
|
|
|
|
|
|
+ String requestPath = httpRequest.getRequestURI();
|
|
|
+ if ("/health".equals(requestPath) || "/ping".equals(requestPath)) {
|
|
|
+ // 是心跳检查请求
|
|
|
+ filterChain.doFilter(httpRequest, response);
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ /**Host头验证*/
|
|
|
+ String hostHeader = httpRequest.getHeader("Host");
|
|
|
+ if (hostHeader != null) {
|
|
|
+ // 从配置中获取允许的host列表(可以同样使用数据库配置)
|
|
|
+ String hostSql = " select id_,biao_ti_,can_shu_zhi_1_ from t_zlcsb where shi_fou_qi_yong_ = 1 and jian_zhi_='%s'";
|
|
|
+ hostSql = String.format(hostSql,"HOST");
|
|
|
+ Map<String,Object> hostzlcs = commonDao.queryOne(hostSql);
|
|
|
+ if(BeanUtils.isNotEmpty(hostzlcs)){
|
|
|
+ //获取白名单配置
|
|
|
+ String bmd = BeanUtils.isNotEmpty(hostzlcs.get("can_shu_zhi_1_")) ?
|
|
|
+ (String)hostzlcs.get("can_shu_zhi_1_") : "";
|
|
|
+ // 提取主机名(去掉端口)
|
|
|
+ String requestHost = hostHeader.split(":")[0];
|
|
|
+ if (!bmd.contains(requestHost)) {
|
|
|
+ log.warn("白名单{}->非法Host头: {}",bmd, hostHeader);
|
|
|
+ response.setStatus(HttpServletResponse.SC_FORBIDDEN);//403
|
|
|
+ response.getWriter().write("Invalid Host header not allowed");
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ // === Host头验证结束 ===
|
|
|
// response.setHeader("Access-Control-Allow-Origin", "*");
|
|
|
// response.setHeader("Access-Control-Max-Age", "3600");
|
|
|
// response.setHeader("Access-Control-Allow-Headers", "accept, origin, content-type,x-requested-with,X-Authorization-access_token");
|
|
|
// response.setHeader("Access-Control-Allow-Credentials", "true");
|
|
|
// response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
|
|
|
-
|
|
|
+ /**Origin验证*/
|
|
|
// 1. 获取请求的 Origin(跨域请求会带这个头)
|
|
|
String origin = httpRequest.getHeader("Origin");
|
|
|
|
|
|
@@ -53,7 +81,7 @@ public class CORSFilter implements Filter {
|
|
|
filterChain.doFilter(httpRequest, response);
|
|
|
return;
|
|
|
}
|
|
|
- //3.无Origin头(同源请求或非浏览器请求,健康检查),跳过
|
|
|
+ //3.无Origin头(同源请求或非浏览器请求),跳过
|
|
|
if (origin == null) {
|
|
|
filterChain.doFilter(httpRequest, response);
|
|
|
return;
|
xiexh