一、实现Filter接口 + @WebFilter注解
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* @Author ds
* @Date 2022-06-15
*/
@Order(1)
@Component
@WebFilter(filterName = "corsFilter" , urlPatterns = "/*")
public class CorsFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
System.out.println("过滤器初始化");
// 过滤器初始化
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
if (servletRequest instanceof HttpServletRequest) {
System.out.println("过滤器");
HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
String origin = ((HttpServletRequest) servletRequest).getHeader("Origin");
httpServletResponse.setHeader("Access-Control-Allow-Origin", origin);
//允许跨域的请求方式
httpServletResponse.setHeader("Access-Control-Allow-Methods", "POST, GET");
//预检请求的间隔时间
httpServletResponse.setHeader("Access-Control-Max-Age", "3600");
//允许跨域请求携带的请求头
httpServletResponse.setHeader("Access-Control-Allow-Headers", "x-auth-token,Origin,Access-Token,X-Requested-With,Content-Type, Accept,token");
//若要返回cookie、携带seesion等信息则将此项设置我true
httpServletResponse.setHeader("Access-Control-Allow-Credentials", "true");
//简称为HSTS。它允许一个HTTPS网站,要求浏览器总是通过HTTPS来访问它
httpServletResponse.setHeader("strict-transport-security", "max-age=16070400; includeSubDomains");
//这个响应头主要是用来定义页面可以加载哪些资源,减少XSS的发生
httpServletResponse.setHeader("Content-Security-Policy", "default-src 'self'; script-src 'self'; frame-ancestors 'self'; object-src 'none'");
//互联网上的资源有各种类型,通常浏览器会根据响应头的Content-Type字段来分辨它们的类型。通过这个响应头可以禁用浏览器的类型猜测行为
httpServletResponse.setHeader("X-Content-Type-Options", "nosniff");
//1; mode=block:启用XSS保护,并在检查到XSS攻击时,停止渲染页面
httpServletResponse.setHeader("X-XSS-Protection", "1; mode=block");
//SAMEORIGIN:不允许被本域以外的页面嵌入
httpServletResponse.setHeader("X-Frame-Options", "SAMEORIGIN");
}
filterChain.doFilter(servletRequest, servletResponse);
}
@Override
public void destroy() {
// 过滤器销毁
}
}
二、启动类加注解 @ServletComponentScan
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.TimeZone;
import javax.annotation.PostConstruct;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.web.servlet.ServletComponentScan;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.core.env.Environment;
@ServletComponentScan
@SpringBootApplication
public class MasterApplication {
public static void main(String[] args) throws UnknownHostException {
TimeZone.setDefault(TimeZone.getTimeZone("Asia/Shanghai"));
// SpringApplication.run(MasterApplication.class, args);
ConfigurableApplicationContext application = SpringApplication.run(MasterApplication.class, args);
Environment environment = application.getEnvironment();
String applicationName = environment.getProperty("spring.application.name");
String localHost = InetAddress.getLocalHost().getHostAddress();
String port = environment.getProperty("server.port");
String contextPath = environment.getProperty("server.servlet.context-path");
System.out.println("ServletInitializer 启动:" + applicationName);
System.out.println("----------------------------------------------------------");
System.out.println("\t\t http://" + localHost + ":" + port + "" + contextPath + "");
System.out.println("\t\t http://" + localHost + ":" + port + "" + contextPath + "/doc.html");
System.out.println("----------------------------------------------------------");
}
@PostConstruct
void setDefaultTimezone() {
TimeZone.setDefault(TimeZone.getTimeZone("Asia/Shanghai"));
}
}
