Cors过滤器用于localhost和分段url

Cors过滤器用于localhost和分段url

本文介绍了Cors过滤器用于localhost和分段url的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我们正在开发一个java-spring mvc项目。
为了使客户团队能够连接到我们的服务,我们创建了一个CorsFilter:

  @Override 
protected void doFilterInternal(HttpServletRequest请求,HttpServletResponse响应,FilterChain filterChain)throws ServletException,
IOException {

//填充CORS所需的标题

String responseURL = this.corsMap.get(request.getServerName()。toString());
response.addHeader(
Access-Control-Allow-Origin,
(responseURL == null?https://default.ourCompany.com:responseURL));

response.addHeader(
Access-Control-Allow-Credentials,
true);

if(request.getHeader(Access-Control-Request-Method)!= null&OPTIONS.equals(request.getMethod())){
/ / CORS飞行前请求
response.addHeader(
Access-Control-Allow-Methods,
GET,POST,PUT,DELETE);
response.addHeader(
Access-Control-Allow-Headers,
X-Requested-With,Origin,Content-Type,Accept);
}

filterChain.doFilter(
request,
response);
}

注意事项:



1)我们允​​许任何OPTIONS传入请求的所有。



2)我们允许Access-Control-Allow-Headers 3)一个名为corsMap的映射包含了所有的客户端url以及它们到服务器url的映射,如下:

  10.110.0.55-> http:// localhost 
10.110.0.66-> https://some.other。 url

现在我们有一个问题:



我们希望使用来自和。我们如何实现呢? (这里的问题是,只允许一个客户端URL,如果客户端请求可以从多个URL接收 - 我们不能确定允许什么)。

解决方案

对于跨域请求,请求将具有一个Origin头,稍后将与Access-Control-Allow-Origin响应头匹配



所以,我认为,编码 doFilterInternal 如下应该工作:

  @Override 
protected void doFilterInternal(HttpServletRequest请求,HttpServletResponse响应,FilterChain filterChain)throws ServletException,
IOException {

String clientURL = request.getHeader(Origin);
response.addHeader(
Access-Control-Allow-Origin,
isInWhileList(clientURL)?clientUrl:https://default.ourCompany.com;
。 ..

注意



最新版本的Spring具有来配置CORS,它有一个 allowedOrigins 方法,可以采用一系列列入白名单的网址。



您也可以参考的源代码来获取具体示例。


We are developing a java-spring mvc project.In order for the client team to be able to connect to our services we created a CorsFilter:

  @Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException,
    IOException {

// populating the header required for CORS

String responseURL = this.corsMap.get(request.getServerName().toString());
response.addHeader(
           "Access-Control-Allow-Origin",
           (responseURL == null ? "https://default.ourCompany.com" : responseURL));

response.addHeader(
           "Access-Control-Allow-Credentials",
           "true");

if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) {
    // CORS "pre-flight" request
    response.addHeader(
               "Access-Control-Allow-Methods",
               "GET, POST, PUT, DELETE");
    response.addHeader(
               "Access-Control-Allow-Headers",
               "X-Requested-With,Origin,Content-Type, Accept");
}

filterChain.doFilter(
             request,
             response);
}

Things to note:

1) we allow all for any OPTIONS incoming request.

2) We allow specific ip for "Access-Control-Allow-Headers" (since "Access-Control-Allow-Credentials"=true requires so)

3) a map called corsMap contains all the client urls and their mapping to server urls, like so:

10.110.0.55->http://localhost
10.110.0.66->https://some.other.url

Now we have a problem:

We would like to use clients from "http://localhost" AND from "http://some.other.url". how can we achieve that? (the problem here is that only a single client URL is allowed, and if the clients request can be received from multiple URL - we wont be able to determine what to allow).

解决方案

For cross domain requests, the request would be having an "Origin" header, which would later get matched with the "Access-Control-Allow-Origin" response header (that we provide in the above filter).

So, I think, coding the doFilterInternal as below should work:

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException,
    IOException {

    String clientURL = request.getHeader("Origin");
    response.addHeader(
           "Access-Control-Allow-Origin",
           isInWhileList(clientURL) ? clientUrl : "https://default.ourCompany.com";
    ...

Note:

The latest version of Spring has a new way to configure CORS, which has an allowedOrigins method, which can take an array of whitelisted URLs.

You can also refer to Spring Lemon's source code for a concrete example.

这篇关于Cors过滤器用于localhost和分段url的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-12 22:05