Cors 过滤器 - 允许所有子域

问题描述 投票:0回答:4

我希望我的 CorsFilter 执行以下操作:

// populating the header required for CORS
response.addHeader(
           "Access-Control-Allow-Origin",
           "https://*.myDomain.com");

整个想法是允许以下域发出请求: sub1.myDomain.com, sub2.myDomain.com, sub3.myDomain.com .... sub100.myDomain.com

这对我不起作用。我怎样才能实现这个目标?我试过了:

response.addHeader(
           "Access-Control-Allow-Origin",
           "*.myDomain.com");

也没有成功。

java spring cross-domain cors
4个回答
19
投票

此用例现在直接由 CorsConfiguration.setAllowedOriginPatterns 支持。

修改文档示例以匹配您的问题,这可能是:

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOriginPatterns(Arrays.asList("https://*.myDomain.com"));
        configuration.setAllowedMethods(Arrays.asList("GET","POST"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }

值得注意的是,像这样的通配符仍然是 CORS 标准的一部分。相反,这是一个 Spring 机制,用于在您的模式上返回符合 CORS 的标头值based

例如如果您现在从 

Origin=https://subdomain.myDomain.com
拨打电话,响应将包含标头 
Access-Control-Allow-Origin=https://subdomain.myDomain.com

16
投票

我也有类似的问题,答案是肯定的。

这是我的解决方案(基于origin标头处理Access-Control-Allow-Origin)

1。从“origin”标头解析主机

    // origin
    String origin = request.getHeader("Origin");

    URL originUrl = null;
    try {
        originUrl = new URL(origin);
    } catch (MalformedURLException ex) {
    }

    // originUrl.getHost() -> Return the host need to be verified

2。检查originUrl.getHost()

    // Allow myDomain.com
    // Or anySubDomain.myDomain.com
    // Or subSub.anySubDomain.myDomain.com

    // hostAllowedPattern 
    Pattern hostAllowedPattern = Pattern.compile("(.+\\.)*myDomain\\.com", Pattern.CASE_INSENSITIVE);

    // Allow host?
    if (hostAllowedPattern.matcher(originUrl.getHost()).matches()) {
        response.addHeader("Access-Control-Allow-Origin", origin);

    } else {
        // Throw 403 status OR send default allow
        response.addHeader("Access-Control-Allow-Origin", "https://my_domain.com");
    }

3.结果:

    // If 'origin': https://sub1.myDomain.com  --> Matched
    Access-Control-Allow-Origin: https://sub1.myDomain.com

    // If 'origin': https://sub2.myDomain.com   --> Matched
    Access-Control-Allow-Origin: https://sub2.myDomain.com

    // If 'origin': https://notAllowDomain.com   --> Not Matched
    Access-Control-Allow-Origin: https://my_domain.com

4。其他:

    You need to verify scheme & port too.
7
投票

不能,它要么是完整域,

null
,要么全部:
*

就像规范所说: http://www.w3.org/TR/cors/#access-control-allow-origin-response-header

0
投票

在 Spring Boot 上,这适用于多个域。

参考 - https://docs.spring.io/spring-security/site/docs/5.4.2/reference/html5/#cors

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${cross-origin-domains:https://example1.com,https://example2.com}")
    private List<String> crossOriginDomains;

    @Value("${cross-origin.paths:/path1/**,/path2/**}")
    private List<String> crossOriginPaths;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors(withDefaults())
        .
        //Any other configuration you need
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(this.crossOriginDomains);
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        for (String api : this.crossOriginPaths) {
            source.registerCorsConfiguration(api, configuration);
        }
        return source;
    }

}


application.properties
Consul
中,您可以拥有这些配置和值

ccc.cross-origin.domains=https://example1.com,https://example3.com
ccc.cross-origin.paths=/path1/**,/path2/**,/path3/**
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.