零、前言
接上一篇《Spring Cloud Oauth2 Cors配置方案》
在生产环境中,使用 Access-Control-Allow-Origin:*
的安全性较差,需要限制只能自己的几个业务域名才能跨域访问,原本想把多个域名,用逗号隔开,比如"https://*.hhfate.cn,https://*.reinforce.cn",但是提示 Access-Control-Allow-Origin
只能包含一个域名。
一、实现
在配置文件中设置白名单,名称可以自定义,对应好就行
xy.cors-white-list=http://localhost:9527,http://localhost:9528
通过@Value获取白名单,手动匹配
@Value("${xy.cors-white-list}") private String whiteList; @Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; String origin = request.getHeader("origin"); response.setHeader("Access-Control-Allow-Origin", Tools.asList(whiteList.split(",")).contains(origin) ? origin : "-"); response.setHeader("Access-Control-Allow-Credentials", "true"); response.setHeader("Access-Control-Allow-Methods", "POST, GET, PATCH, DELETE, PUT, OPTIONS"); response.setHeader("Access-Control-Max-Age", "3600"); response.setHeader("Access-Control-Allow-Headers", "*"); if ("OPTIONS".equalsIgnoreCase(request.getMethod())) { response.setStatus(HttpServletResponse.SC_OK); } else { chain.doFilter(req, res); } }