java接口白名单,SpringBootHTTP接口跨域调用及白名单实现

java,SpringBootHTTP接⼝跨域调⽤及⽩名单实现背景系统之前为⼀个单页应⽤提供过Rest接⼝，部署时这个单页应⽤与系统不在同⼀域内，出现跨域⽆法访问的问题。Spring从4.2版本开始提供了@CrossOrigin注解，让这个问题的解决变得⾮常简单。实现⼀⾸先看下@CrossOrigin的源码(删掉了开头的部分注释)：packageorg.springframework.web.bind.annotation;importjava.lang.annotation.Documented;importjava.lang.annotation.ElementType;importjava.lang.annotation.Retention;importjava.lang.annotation.RetentionPolicy;importjava.lang.annotation.Target;importorg.springframework.core.annotation.AliasFor;importorg.springframework.web.cors.CorsConfiguration;/***@authorRussellAllen*@authorSebastienDeleuze*@authorSamBrannen*@since4.2*/@Target({ElementType.METHOD,ElementType.TYPE})@Retention(RetentionPolicy.RUNTIME)@Documentedpublic@interfaceCrossOrigin{/***@deprecatedasofSpring4.3.4,infavorofusing{@linkCorsConfiguration#applyPermitDefaultValues}*/@DeprecatedString[]DEFAULT_ORIGINS={"*"};/***@deprecatedasofSpring4.3.4,infavorofusing{@linkCorsConfiguration#applyPermitDefaultValues}*/@DeprecatedString[]DEFAULT_ALLOWED_HEADERS={"*"};/***@deprecatedasofSpring4.3.4,infavorofusing{@linkCorsConfiguration#applyPermitDefaultValues}*/@DeprecatedbooleanDEFAULT_ALLOW_CREDENTIALS=true;/***@deprecatedasofSpring4.3.4,infavorofusing{@linkCorsConfiguration#applyPermitDefaultValues}*/@DeprecatedlongDEFAULT_MAX_AGE=1800;/***Aliasfor{@link#origins}.*/@AliasFor("origins")String[]value()default{};/***Listofallowedorigins,e.g.{@code""}.*Thesevaluesareplacedinthe{@codeAccess-Control-Allow-Origin}*headerofboththepre-flightresponseandtheactualresponse.*{@code"*"}meansthatalloriginsareallowed.*Ifundefined,alloriginsareallowed.*@see#value*/@AliasFor("value")String[]origins()default{};/***Listofrequestheadersthatcanbeusedduringtheactualrequest.*Thispropertycontrolsthevalueofthepre-flightresponse's*{@codeAccess-Control-Allow-Headers}header.*{@code"*"}meansthatallheadersrequestedbytheclientareallowed.*Ifundefined,allrequestedheadersareallowed.*/String[]allowedHeaders()default{};/***Listofresponseheadersthattheuser-agentwillallowtheclienttoaccess.*Thispropertycontrolsthevalueofactualresponse's*{@codeAccess-Control-Expose-Headers}header.*Ifundefined,anemptyexposedheaderlistisused.*/String[]exposedHeaders()default{};/***ListofsupportedHTTPrequestmethods,e.g.*{@code"{RequestMethod.GET,RequestMethod.POST}"}.*Methodsspecifiedhereoverridethosespecifiedvia{@codeRequestMapping}.*Ifundefined,methodsdefinedby{@linkRequestMapping}annotation*areused.*/RequestMethod[]methods()default{};/***Whetherthebrowsershouldincludeanycookiesassociatedwiththe*domainoftherequestbeingannotated.*Setto{@code"false"}ifsuchcookiesshouldnotincluded.undefined*Anemptystring({@code""})means.*{@code"true"}meansthatthepre-flightresponsewillincludetheheader*{@codeAccess-Control-Allow-Credentials=true}.*Ifundefined,credentialsareallowed.*/StringallowCredentials()default"";/***Themaximumage(inseconds)ofthecachedurationforpre-flightresponses.*Thispropertycontrolsthevalueofthe{@codeAccess-Control-Max-Age}*headerinthepre-flightresponse.*Settingthistoareasonablevaluecanreducethenumberofpre-flight*request/responseinteractionsrequiredbythebrowser.undefined*Anegativevaluemeans*.Ifundefined,maxageissetto{@code1800}seconds(i.e.,30minutes).*/longmaxAge()default-1;}从上⾯源码中可以看到，@CrossOrigin注解⽀持⽤于类和⽅法，访问IP默认为不限制，预检请求的有效期默认为1800秒，所以如不需指定IP和有效期，直接给需要⽀持跨域的类或⽅法添加注解即可：@CrossOriginpublicJSONObjectmyMethod(...){...}但是事情肯定不会这么简单。。。实现⼆真正的需求是要通过配置⽂件配置IP⽩名单，⽩名单内允许跨域访问。然鹅，由于注解的参数⽆法动态赋值，IP地址这种参数也不能硬编码，所以@CrossOrigin就被我⽆情的抛弃了，转⽽通过Filter来实现：importorg.springframework.beans.factory.annotation.Value;importorg.springframework.boot.web.servlet.ServletComponentScan;importorg.springframework.stereotype.Component;importjavax.servlet.Filter;importjavax.servlet.FilterChain;importjavax.servlet.FilterConfig;importjavax.servlet.ServletException;importjavax.servlet.ServletRequest;importjavax.servlet.ServletResponse;importjavax.servlet.annotation.WebFilter;importjavax.servlet.http.HttpServletResponse;importjava.io.IOException;@Component@ServletComponentScan@WebFilter(urlPatterns="/*",filterName="domainFilter")publicclassDomainFilterimplementsFilter{@Value("${allow-origin}")privateStringdomain;@Overridepublicvoidinit(FilterConfigfilterConfig)throwsServletException{}@OverridepublicvoiddoFilter(ServletRequestservletRequest,ServletResponseservletResponse,FilterChainfilterChain)throwsIOException,ServletException{HttpServletResponseresponse=(HttpServletResponse)servletResponse;if(!domain.startsWith("http://")&&!domain.startsWith("https://")){domain="http://"+domain;}response.setHeader("Access-Control-Allow-Origin",domain);response.setHeader("Access-Control-Allow-Methods","POST,GET,OPTIONS,DELETE");response.setHeader("Access-Control-Max-Age",