CORS“跨域资源共享”，后端跨域处理（代码、nginx）_cors(跨域资源共享)漏洞 filterregistrationbean

一、什么是跨域？

当一个请求url的协议、域名、端口三者之间任意一个与当前页面url不同即为跨域

@Configuration
public class WebMvcConfiguration implements WebMvcConfigurer {


 @Bean
 public CorsFilter corsFilter() {
  final UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
  final CorsConfiguration corsConfiguration = new CorsConfiguration();
  /* 是否允许请求带有验证信息 */
  corsConfiguration.setAllowCredentials(true);
  /* 允许访问的客户端域名 */
  corsConfiguration.addAllowedOrigin("*");
  /* 允许服务端访问的客户端请求头 */
  corsConfiguration.addAllowedHeader("*");
  /* 允许访问的方法名,GET POST等 */
  corsConfiguration.addAllowedMethod("*");
  urlBasedCorsConfigurationSource.registerCorsConfiguration("/**", corsConfiguration);
  return new CorsFilter(urlBasedCorsConfigurationSource);
 }

}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

三、过滤器

在SpringBoot中自定义过滤器的优先级高于WebMvcConfigurer中定义的过滤器

• 自定义Cors过滤器

public class CustomerCorsFilter extends CorsFilter {

    public CustomerCorsFilter() {
        super(configurationSource());
    }

    private static UrlBasedCorsConfigurationSource configurationSource() {
        // CORS授权
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
        config.addAllowedOrigin("*");
        config.addAllowedHeader("*");
        config.addAllowedMethod("*");
        config.addExposedHeader(HttpHeaders.SET_COOKIE);
        config.setMaxAge(3600L);
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", config);
                return source;
    }

}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

• 配置类指定过滤器优先级

@Configuration
public class FilterConfig {

    @Bean
    public Filter authFilter(){
        return new AuthFilter();
    }


    /**
     * WARNING ：跨域过滤器，注意执行顺序，必须要在AuthFilter过滤器之后
     * @return
     */
    @Bean
    public FilterRegistrationBean corsFilterRegistration() {

        FilterRegistrationBean registration = new FilterRegistrationBean();
        //添加过滤器
        registration.setFilter(new CustomerCorsFilter());
        List<String> urlList = new ArrayList<>();
        urlList.add("/*");
        //设置过滤路径，/*所有路径
        registration.setUrlPatterns(urlList);
        //添加默认参数
        registration.setName("CorsFilter");
        //设置优先级
        registration.setOrder(-1);
        return registration;
    }


    @Bean
    public FilterRegistrationBean authFilterRegistration() {

        FilterRegistrationBean registration = new FilterRegistrationBean();
        //添加过滤器
        registration.setFilter(authFilter());
        List<String> urlList = new ArrayList<>();
        urlList.add("/*");
        //设置过滤路径，/*所有路径
        registration.setUrlPatterns(urlList);
        //添加默认参数
        registration.setName("authFilter");
        //设置优先级
        registration.setOrder(1);
        return registration;
    }

}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

order的顺序越小优先级越高。

四、nginx反向代理做api转发

• http://a.a.com:81/A中想访问http://b.b.com:81/B

server {
        listen       80;
        server_name  www.my.com;
        location /A {
            proxy_pass  http://a.a.com:81/A;
            index  index.html index.htm;
        }
        location /B {
            proxy_pass  http://b.b.com:81/B;
            index  index.html index.htm;
        }
    }
1
2
3
4
5
6
7
8
9
10
11
12

其他的可以了解下java后端解决跨域问题