Skip to content

Commit 22f0ecd

Browse files
JoyChou93JoyChou93
committed
add cors security code
1 parent 9821216 commit 22f0ecd

File tree

7 files changed

+159
-9
lines changed

7 files changed

+159
-9
lines changed

java-sec-code.iml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -181,8 +181,8 @@
181181
<orderEntry type="library" name="Maven: xmlpull:xmlpull:1.1.3.1" level="project" />
182182
<orderEntry type="library" name="Maven: xpp3:xpp3_min:1.1.4c" level="project" />
183183
<orderEntry type="library" name="Maven: org.apache.poi:poi:3.10-FINAL" level="project" />
184-
<orderEntry type="library" name="Maven: org.apache.poi:poi-ooxml:3.10-FINAL" level="project" />
185-
<orderEntry type="library" name="Maven: org.apache.poi:poi-ooxml-schemas:3.10-FINAL" level="project" />
184+
<orderEntry type="library" name="Maven: org.apache.poi:poi-ooxml:3.9" level="project" />
185+
<orderEntry type="library" name="Maven: org.apache.poi:poi-ooxml-schemas:3.9" level="project" />
186186
<orderEntry type="library" name="Maven: org.apache.xmlbeans:xmlbeans:2.3.0" level="project" />
187187
<orderEntry type="library" name="Maven: dom4j:dom4j:1.6.1" level="project" />
188188
<orderEntry type="library" name="Maven: com.monitorjbl:xlsx-streamer:2.0.0" level="project" />

pom.xml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -206,7 +206,7 @@
206206
<dependency>
207207
<groupId>org.apache.poi</groupId>
208208
<artifactId>poi-ooxml</artifactId>
209-
<version>3.10-FINAL</version>
209+
<version>3.9</version> <!-- 3.10-FINAL -->
210210
</dependency>
211211

212212
<dependency>

src/main/java/org/joychou/config/CorsConfig.java

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
package org.joychou.config;
2+
3+
import org.springframework.context.annotation.Bean;
4+
import org.springframework.context.annotation.Configuration;
5+
import org.springframework.web.servlet.config.annotation.CorsRegistry;
6+
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
7+
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
8+
9+
10+
@Configuration
11+
public class CorsConfig
12+
{
13+
@Bean
14+
public WebMvcConfigurer corsConfigurer()
15+
{
16+
return new WebMvcConfigurerAdapter() {
17+
@Override
18+
public void addCorsMappings(CorsRegistry registry) {
19+
// 设置cors origin白名单。区分http和https,并且默认不会拦截同域请求。
20+
String[] allowOrigins = {"http://test.joychou.org", "https://test.joychou.org"};
21+
22+
registry.addMapping("/cors/sec/webMvcConfigurer")
23+
.allowedOrigins(allowOrigins)
24+
.allowedMethods("GET", "POST")
25+
.allowCredentials(true);
26+
}
27+
};
28+
}
29+
}

src/main/java/org/joychou/config/CorsConfig2.java

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
//package org.joychou.config;
2+
//
3+
//import org.springframework.boot.web.servlet.FilterRegistrationBean;
4+
//import org.springframework.context.annotation.Bean;
5+
//import org.springframework.context.annotation.Configuration;
6+
//import org.springframework.web.cors.CorsConfiguration;
7+
//import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
8+
//import org.springframework.web.filter.CorsFilter;
9+
//
10+
//@Configuration
11+
//public class CorsConfig2 {
12+
//
13+
// @Bean
14+
// public FilterRegistrationBean corsFilter() {
15+
// UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
16+
// CorsConfiguration config = new CorsConfiguration();
17+
// config.setAllowCredentials(true);
18+
// config.addAllowedOrigin("http://test.joychou.org");
19+
// config.addAllowedOrigin("https://test.joychou.org");
20+
// config.addAllowedHeader("*");
21+
// config.addAllowedMethod("GET");
22+
// config.addAllowedMethod("POST");
23+
// source.registerCorsConfiguration("/cors/getCsrfToken/sec_03", config);
24+
// FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
25+
// bean.setOrder(0);
26+
// return bean;
27+
// }
28+
//}

src/main/java/org/joychou/controller/CORS.java

Lines changed: 35 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
package org.joychou.controller;
22

33
import org.joychou.security.SecurityUtil;
4+
import org.springframework.security.web.csrf.CsrfToken;
45
import org.springframework.web.bind.annotation.CrossOrigin;
56
import org.springframework.web.bind.annotation.RequestMapping;
67
import org.joychou.controller.jsonp.JSONP;
@@ -22,31 +23,59 @@ public class CORS {
2223
protected static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}";
2324
protected static String[] urlwhitelist = {"joychou.com", "joychou.me"};
2425

25-
@RequestMapping("/vuls1")
26+
@RequestMapping("/vuln/origin")
2627
private static String vuls1(HttpServletRequest request, HttpServletResponse response) {
27-
// 获取Header中的Origin
2828
String origin = request.getHeader("origin");
2929
response.setHeader("Access-Control-Allow-Origin", origin); // 设置Origin值为Header中获取到的
3030
response.setHeader("Access-Control-Allow-Credentials", "true"); // cookie
3131
return info;
3232
}
3333

34-
@RequestMapping("/vuls2")
34+
@RequestMapping("/vuln/setHeader")
3535
private static String vuls2(HttpServletResponse response) {
36-
// 不建议设置为*
3736
// 后端设置Access-Control-Allow-Origin为*的情况下,跨域的时候前端如果设置withCredentials为true会异常
3837
response.setHeader("Access-Control-Allow-Origin", "*");
3938
return info;
4039
}
4140

41+
4242
@CrossOrigin("*")
43-
@RequestMapping("/vuls3")
43+
@RequestMapping("/vuln/crossOrigin")
4444
private static String vuls3(HttpServletResponse response) {
4545
return info;
4646
}
4747

4848

49-
@RequestMapping("/sec")
49+
/**
50+
* http://localhost:8080/cors/sec/webMvcConfigurer
51+
* https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/config/webMvcConfigurer.java
52+
*/
53+
@RequestMapping("/sec/webMvcConfigurer")
54+
public CsrfToken getCsrfToken_01(CsrfToken token) {
55+
return token;
56+
}
57+
58+
59+
/**
60+
* https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java
61+
*/
62+
@RequestMapping("/sec/httpCors")
63+
public CsrfToken getCsrfToken_02(CsrfToken token) {
64+
return token;
65+
}
66+
67+
68+
/**
69+
* https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/filter/SecCorsFilter.java
70+
*/
71+
@RequestMapping("/sec/corsFitler")
72+
public CsrfToken getCsrfToken_03(CsrfToken token) {
73+
return token;
74+
}
75+
76+
77+
// http://localhost:8080/cors/sec/checkOrigin
78+
@RequestMapping("/sec/checkOrigin")
5079
public String seccode(HttpServletRequest request, HttpServletResponse response) {
5180
String origin = request.getHeader("Origin");
5281

src/main/java/org/joychou/filter/SecCorsFilter.java

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
package org.joychou.filter;
2+
3+
import org.springframework.core.Ordered;
4+
import org.springframework.core.annotation.Order;
5+
import org.springframework.stereotype.Component;
6+
import org.springframework.web.cors.CorsConfiguration;
7+
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
8+
import org.springframework.web.filter.CorsFilter;
9+
10+
/**
11+
* 由于CorsFilter和spring security冲突,所以改为下面的代码。
12+
* CorsFilter可以参考config/CorsConfig2的代码。
13+
*/
14+
@Component
15+
@Order(Ordered.HIGHEST_PRECEDENCE)
16+
public class SecCorsFilter extends CorsFilter {
17+
18+
public SecCorsFilter() {
19+
super(configurationSource());
20+
}
21+
22+
private static UrlBasedCorsConfigurationSource configurationSource() {
23+
CorsConfiguration config = new CorsConfiguration();
24+
config.setAllowCredentials(true);
25+
config.addAllowedOrigin("http://test.joychou.org");
26+
config.addAllowedOrigin("https://test.joychou.org");
27+
config.addAllowedHeader("*");
28+
config.addAllowedMethod("GET");
29+
config.addAllowedMethod("POST");
30+
31+
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
32+
source.registerCorsConfiguration("/cors/sec/corsFitler", config);
33+
34+
return source;
35+
}
36+
}

src/main/java/org/joychou/security/WebSecurityConfig.java

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,14 +2,20 @@
22

33
import org.springframework.beans.factory.annotation.Autowired;
44
import org.springframework.beans.factory.annotation.Value;
5+
import org.springframework.context.annotation.Bean;
56
import org.springframework.context.annotation.Configuration;
67
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
78
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
89
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
910
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
1011
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
1112
import org.springframework.security.web.util.matcher.RequestMatcher;
13+
import org.springframework.web.cors.CorsConfiguration;
14+
import org.springframework.web.cors.CorsConfigurationSource;
15+
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
16+
1217
import javax.servlet.http.HttpServletRequest;
18+
import java.util.ArrayList;
1319
import java.util.Arrays;
1420
import java.util.HashSet;
1521

@@ -58,6 +64,8 @@ protected void configure(HttpSecurity http) throws Exception {
5864
http.exceptionHandling().accessDeniedHandler(new CsrfAccessDeniedHandler());
5965
// http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
6066

67+
http.cors();
68+
6169
// spring security login settings
6270
http.authorizeRequests()
6371
.antMatchers("/css/**", "/js/**").permitAll() // permit static resources
@@ -69,6 +77,26 @@ protected void configure(HttpSecurity http) throws Exception {
6977
.rememberMe(); // tomcat默认JSESSION会话有效时间为30分钟,所以30分钟不操作会话将过期。为了解决这一问题,引入rememberMe功能。
7078
}
7179

80+
/**
81+
* Global cors configure
82+
*/
83+
@Bean
84+
CorsConfigurationSource corsConfigurationSource()
85+
{
86+
// Set cors origin white list
87+
ArrayList<String> allowOrigins = new ArrayList<String>();
88+
allowOrigins.add("http://test.joychou.org");
89+
allowOrigins.add("https://test.joychou.org"); // 区分http和https,并且默认不会拦截同域请求。
90+
91+
CorsConfiguration configuration = new CorsConfiguration();
92+
configuration.setAllowedOrigins(allowOrigins);
93+
configuration.setAllowCredentials(true);
94+
configuration.setAllowedMethods(Arrays.asList("GET", "POST"));
95+
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
96+
source.registerCorsConfiguration("/cors/sec/httpCors", configuration); // ant style
97+
return source;
98+
}
99+
72100
@Autowired
73101
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
74102
auth

0 commit comments

Comments
 (0)