我希望我的 CorsFilter 执行以下操作:
// populating the header required for CORS
response.addHeader(
"Access-Control-Allow-Origin",
"https://*.myDomain.com");
整个想法是允许以下域发出请求: sub1.myDomain.com, sub2.myDomain.com, sub3.myDomain.com .... sub100.myDomain.com
这对我不起作用。我怎样才能实现这个目标?我试过了:
response.addHeader(
"Access-Control-Allow-Origin",
"*.myDomain.com");
也没有成功。
此用例现在直接由 CorsConfiguration.setAllowedOriginPatterns 支持。
修改文档示例以匹配您的问题,这可能是:
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOriginPatterns(Arrays.asList("https://*.myDomain.com"));
configuration.setAllowedMethods(Arrays.asList("GET","POST"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
值得注意的是,像这样的通配符仍然不是 CORS 标准的一部分。相反,这是一个 Spring 机制,用于在您的模式上返回符合 CORS 的标头值based。
例如如果您现在从
Origin=https://subdomain.myDomain.com
拨打电话,响应将包含标头 Access-Control-Allow-Origin=https://subdomain.myDomain.com
。
我也有类似的问题,答案是肯定的。
这是我的解决方案(基于origin标头处理Access-Control-Allow-Origin)
1。从“origin”标头解析主机
// origin
String origin = request.getHeader("Origin");
URL originUrl = null;
try {
originUrl = new URL(origin);
} catch (MalformedURLException ex) {
}
// originUrl.getHost() -> Return the host need to be verified
2。检查originUrl.getHost()
// Allow myDomain.com
// Or anySubDomain.myDomain.com
// Or subSub.anySubDomain.myDomain.com
// hostAllowedPattern
Pattern hostAllowedPattern = Pattern.compile("(.+\\.)*myDomain\\.com", Pattern.CASE_INSENSITIVE);
// Allow host?
if (hostAllowedPattern.matcher(originUrl.getHost()).matches()) {
response.addHeader("Access-Control-Allow-Origin", origin);
} else {
// Throw 403 status OR send default allow
response.addHeader("Access-Control-Allow-Origin", "https://my_domain.com");
}
3.结果:
// If 'origin': https://sub1.myDomain.com --> Matched
Access-Control-Allow-Origin: https://sub1.myDomain.com
// If 'origin': https://sub2.myDomain.com --> Matched
Access-Control-Allow-Origin: https://sub2.myDomain.com
// If 'origin': https://notAllowDomain.com --> Not Matched
Access-Control-Allow-Origin: https://my_domain.com
4。其他:
You need to verify scheme & port too.
不能,它要么是完整域,
null
,要么全部:*
。
就像规范所说: http://www.w3.org/TR/cors/#access-control-allow-origin-response-header
在 Spring Boot 上,这适用于多个域。
参考 - https://docs.spring.io/spring-security/site/docs/5.4.2/reference/html5/#cors
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${cross-origin-domains:https://example1.com,https://example2.com}")
private List<String> crossOriginDomains;
@Value("${cross-origin.paths:/path1/**,/path2/**}")
private List<String> crossOriginPaths;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors(withDefaults())
.
//Any other configuration you need
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(this.crossOriginDomains);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
for (String api : this.crossOriginPaths) {
source.registerCorsConfiguration(api, configuration);
}
return source;
}
}
在
application.properties
或Consul
中,您可以拥有这些配置和值
ccc.cross-origin.domains=https://example1.com,https://example3.com
ccc.cross-origin.paths=/path1/**,/path2/**,/path3/**