|
|
@@ -12,6 +12,8 @@ import javax.servlet.*;
|
|
|
import javax.servlet.http.HttpServletRequest;
|
|
|
import javax.servlet.http.HttpServletResponse;
|
|
|
import java.io.IOException;
|
|
|
+import java.net.URI;
|
|
|
+import java.net.URISyntaxException;
|
|
|
import java.util.Map;
|
|
|
/**
|
|
|
* cros跨域访问
|
|
|
@@ -43,36 +45,68 @@ public class CORSFilter implements Filter {
|
|
|
// 1. 获取请求的 Origin(跨域请求会带这个头)
|
|
|
String origin = httpRequest.getHeader("Origin");
|
|
|
|
|
|
- //2. 存在启用的CORS跨域白名单配置
|
|
|
+ // 2. 不存在启用的CORS跨域白名单配置,直接跳过
|
|
|
String sql = " select id_,biao_ti_,can_shu_zhi_1_ from t_zlcsb where shi_fou_qi_yong_ = 1 and jian_zhi_='%s'";
|
|
|
sql = String.format(sql,"CORS");
|
|
|
Map<String,Object> corszlcs = commonDao.queryOne(sql);
|
|
|
- if(BeanUtils.isEmpty(corszlcs)){//不启用跨域访白名单控制
|
|
|
+ if(BeanUtils.isEmpty(corszlcs)){
|
|
|
filterChain.doFilter(httpRequest, response);
|
|
|
- }else{
|
|
|
- String bmd = "";
|
|
|
- if(BeanUtils.isNotEmpty(corszlcs.get("can_shu_zhi_1_"))){
|
|
|
- bmd = (String)corszlcs.get("can_shu_zhi_1_");
|
|
|
- }
|
|
|
- //非服务器同域名访问,需要校验白名单
|
|
|
- if (origin != null && !origin.startsWith(httpRequest.getScheme() + "://" + httpRequest.getServerName())) {
|
|
|
- if (!bmd.contains(httpRequest.getServerName())) {
|
|
|
- log.info("杂类参数表中配置的允许访问的白名单不包括{},请联系管理员添加",httpRequest.getServerName());
|
|
|
- response.setStatus(HttpServletResponse.SC_FORBIDDEN); // 403
|
|
|
- response.getWriter().write("CORS not allowed ,please contract administrator");
|
|
|
- return;
|
|
|
- }
|
|
|
- filterChain.doFilter(httpRequest, response);
|
|
|
- }else{
|
|
|
- //origin为空放行,或者前端域名和服务器域名相同也放行
|
|
|
- filterChain.doFilter(httpRequest, response);
|
|
|
- }
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ //3.无Origin头(同源请求或非浏览器请求,健康检查),跳过
|
|
|
+ if (origin == null) {
|
|
|
+ filterChain.doFilter(httpRequest, response);
|
|
|
+ return;
|
|
|
}
|
|
|
+ //获取白名单配置
|
|
|
+ String bmd = BeanUtils.isNotEmpty(corszlcs.get("can_shu_zhi_1_")) ?
|
|
|
+ (String)corszlcs.get("can_shu_zhi_1_") : "";
|
|
|
|
|
|
+ //4.非同源请求且开启了跨域白名单配置,校验请求是否为白名单
|
|
|
+ // 提取请求来源的协议+域名(不含端口和路径)
|
|
|
+ String requestDomain = extractBaseDomain(origin);
|
|
|
+ String serverDomain = extractBaseDomain(httpRequest.getRequestURL().toString());
|
|
|
+
|
|
|
+ // 有Origin头(可能是跨域)
|
|
|
+ String currentDomain = httpRequest.getScheme() + "://" + httpRequest.getServerName();
|
|
|
+
|
|
|
+ if (requestDomain.equals(serverDomain)) {
|
|
|
+ // 情况2:同源请求(协议+域名相同,端口不同也视为同源)
|
|
|
+ filterChain.doFilter(httpRequest, response);
|
|
|
+ } else if (bmd.contains(requestDomain)) {
|
|
|
+ // 情况3:合法的跨域请求(白名单)
|
|
|
+ // 处理预检请求
|
|
|
+ /* if ("OPTIONS".equalsIgnoreCase(httpRequest.getMethod())) {
|
|
|
+ response.setStatus(HttpServletResponse.SC_OK);
|
|
|
+ return;
|
|
|
+ }*/
|
|
|
+ filterChain.doFilter(httpRequest, response);
|
|
|
+ } else {
|
|
|
+ // 情况4:非法的跨域请求
|
|
|
+ log.warn("跨域请求被拒绝:origin{} → {}", origin, httpRequest.getRequestURI());
|
|
|
+ response.setStatus(HttpServletResponse.SC_FORBIDDEN);//403
|
|
|
+ response.getWriter().write("Cross-origin request not allowed");
|
|
|
+ }
|
|
|
}
|
|
|
|
|
|
@Override
|
|
|
public void destroy() {
|
|
|
|
|
|
}
|
|
|
+
|
|
|
+ // 辅助方法:提取主域名(忽略端口和路径)
|
|
|
+ private String extractBaseDomain(String url) {
|
|
|
+ try {
|
|
|
+ URI uri = new URI(url);
|
|
|
+ String domain = uri.getHost();
|
|
|
+ // 处理可能是IP地址的情况
|
|
|
+ if (domain == null) {
|
|
|
+ domain = url.replaceFirst("^(https?://[^:/]+).*", "$1");
|
|
|
+ }
|
|
|
+ // 转换为小写避免大小写问题
|
|
|
+ return domain.toLowerCase();
|
|
|
+ } catch (URISyntaxException e) {
|
|
|
+ return url.replaceFirst("^(https?://[^:/]+).*", "$1").toLowerCase();
|
|
|
+ }
|
|
|
+ }
|
|
|
}
|
xiexh