零、前言
接上一篇《Spring Cloud Oauth2 Cors配置方案》
在生产环境中,使用 Access-Control-Allow-Origin:* 的安全性较差,需要限制只能自己的几个业务域名才能跨域访问,原本想把多个域名,用逗号隔开,比如"https://*.hhfate.cn,https://*.reinforce.cn",但是提示 Access-Control-Allow-Origin 只能包含一个域名。
一、实现
在配置文件中设置白名单,名称可以自定义,对应好就行
xy.cors-white-list=http://localhost:9527,http://localhost:9528
通过@Value获取白名单,手动匹配
@Value("${xy.cors-white-list}")
private String whiteList;
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
String origin = request.getHeader("origin");
response.setHeader("Access-Control-Allow-Origin", Tools.asList(whiteList.split(",")).contains(origin) ? origin : "-");
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, PATCH, DELETE, PUT, OPTIONS");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "*");
if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
response.setStatus(HttpServletResponse.SC_OK);
} else {
chain.doFilter(req, res);
}
}