Cors过滤器用于localhost和分段url [英] Cors filter for localhost and staging url
问题描述
我们正在开发一个java-spring mvc项目。
为了使客户团队能够连接到我们的服务,我们创建了一个CorsFilter:
@Override
protected void doFilterInternal(HttpServletRequest请求,HttpServletResponse响应,FilterChain filterChain)throws ServletException,
IOException {
//填充CORS所需的标题
String responseURL = this.corsMap.get(request.getServerName()。toString());
response.addHeader(
Access-Control-Allow-Origin,
(responseURL == null?https://default.ourCompany.com:responseURL));
response.addHeader(
Access-Control-Allow-Credentials,
true);
if(request.getHeader(Access-Control-Request-Method)!= null&OPTIONS.equals(request.getMethod())){
/ / CORS飞行前请求
response.addHeader(
Access-Control-Allow-Methods,
GET,POST,PUT,DELETE);
response.addHeader(
Access-Control-Allow-Headers,
X-Requested-With,Origin,Content-Type,Accept);
}
filterChain.doFilter(
request,
response);
}
注意事项:
1)我们允许任何OPTIONS传入请求的所有。
2)我们允许Access-Control-Allow-Headers 3)一个名为corsMap的映射包含了所有的客户端url以及它们到服务器url的映射,如下:
10.110.0.55-> http:// localhost
10.110.0.66-> https://some.other。 url
现在我们有一个问题:
我们希望使用来自 http:// localhost 和 http://some.other.url 。我们如何实现呢? (这里的问题是,只允许一个客户端URL,如果客户端请求可以从多个URL接收 - 我们不能确定允许什么)。
对于跨域请求,请求将具有一个Origin头,稍后将与Access-Control-Allow-Origin响应头匹配
所以,我认为,编码 doFilterInternal 如下应该工作:
@Override
protected void doFilterInternal(HttpServletRequest请求,HttpServletResponse响应,FilterChain filterChain)throws ServletException,
IOException {
String clientURL = request.getHeader(Origin);
response.addHeader(
Access-Control-Allow-Origin,
isInWhileList(clientURL)?clientUrl:https://default.ourCompany.com;
。 ..
注意:
最新版本的Spring具有新的方法来配置CORS,它有一个 allowedOrigins 方法,可以采用一系列列入白名单的网址。
您也可以参考 Spring Lemon 的源代码来获取具体示例。
We are developing a java-spring mvc project. In order for the client team to be able to connect to our services we created a CorsFilter:
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException,
IOException {
// populating the header required for CORS
String responseURL = this.corsMap.get(request.getServerName().toString());
response.addHeader(
"Access-Control-Allow-Origin",
(responseURL == null ? "https://default.ourCompany.com" : responseURL));
response.addHeader(
"Access-Control-Allow-Credentials",
"true");
if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) {
// CORS "pre-flight" request
response.addHeader(
"Access-Control-Allow-Methods",
"GET, POST, PUT, DELETE");
response.addHeader(
"Access-Control-Allow-Headers",
"X-Requested-With,Origin,Content-Type, Accept");
}
filterChain.doFilter(
request,
response);
}
Things to note:
1) we allow all for any OPTIONS incoming request.
2) We allow specific ip for "Access-Control-Allow-Headers" (since "Access-Control-Allow-Credentials"=true requires so)
3) a map called corsMap contains all the client urls and their mapping to server urls, like so:
10.110.0.55->http://localhost
10.110.0.66->https://some.other.url
Now we have a problem:
We would like to use clients from "http://localhost" AND from "http://some.other.url". how can we achieve that? (the problem here is that only a single client URL is allowed, and if the clients request can be received from multiple URL - we wont be able to determine what to allow).
For cross domain requests, the request would be having an "Origin" header, which would later get matched with the "Access-Control-Allow-Origin" response header (that we provide in the above filter).
So, I think, coding the doFilterInternal as below should work:
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException,
IOException {
String clientURL = request.getHeader("Origin");
response.addHeader(
"Access-Control-Allow-Origin",
isInWhileList(clientURL) ? clientUrl : "https://default.ourCompany.com";
...
Note:
The latest version of Spring has a new way to configure CORS, which has an allowedOrigins method, which can take an array of whitelisted URLs.
You can also refer to Spring Lemon's source code for a concrete example.
这篇关于Cors过滤器用于localhost和分段url的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
