Inicio Explorar Ayuda
Registro Iniciar sesión
wangyu
/
post-check-api
Seguir 1
Destacar 0
Fork 0
Archivos Incidencias 0 Pull Requests 0 Wiki
Explorar el Código

漏洞修复

zjs hace 1 semana
padre
056bbf1f86
commit
368b73a31a
Se han modificado 1 ficheros con 17 adiciones y 16 borrados
Dividir vista Mostrar estadísticas de diff
  1. 17 16
      ruoyi-common/src/main/java/com/ruoyi/common/filter/RestCorsFilter.java

+ 17 - 16
ruoyi-common/src/main/java/com/ruoyi/common/filter/RestCorsFilter.java
Ver fichero 

@@ -24,27 +24,28 @@ public class RestCorsFilter implements Filter {
24 24 
         HttpServletResponse response = (HttpServletResponse) res;
25 25 
         HttpServletRequest request = (HttpServletRequest) req;
26 26
27 
-//        岗检服务器IP:10.152.72.7,访问时就是直接IP没有域名
28 
-//        1、统一登录的地址(甲方系统):http://10.152.70.21:8080/cas/login
29 
-//        2、岗检系统前端页面Nginx(统一登录成功后的跳转地址):http://10.152.72.5:8181/postcheck
30 
-//        3、岗检系统后端接口:http://10.152.72.7:8180
31 
-        String[] allowDomain = {"http://10.152.70.21:8080"//CAS服务器
32 
-                , "http://10.152.72.7:8181"//岗检前端Nginx
33 
-                , "*.connc.*"
34 
-                //TODO 打包屏蔽-甲方部署时注释:甲方不需要本地登录功能采用单点登录
35 
-//                , "http://192.168.3.32:81"//前端开发
36 
-//                , "http://101.42.248.108:17003"//前端开发
37 
-//                , "http://localhost"//前端开发
27 
+        // 允许的来源
28 
+        String[] allowDomain = {
29 
+                "http://10.152.70.21:8080", // CAS服务器
30 
+                "http://10.152.72.7:8181" ,// 岗检前端Nginx
31 
+               // "*.cnooc.*"
32 
+                // TODO 打包屏蔽-甲方部署时注释:甲方不需要本地登录功能采用单点登录
33 
+                "http://192.168.3.32:81"  // 前端开发
38 34 
         };
39 35 
         Set<String> allowedOrigins = new HashSet<>(Arrays.asList(allowDomain));
40 
-        String originHeader = request.getHeader("Origin");//http://IP:port
36 
+        String originHeader = request.getHeader("Origin");
37 
+
41 38 
         if (allowedOrigins.contains(originHeader)) {
42 39 
             response.setHeader("Access-Control-Allow-Origin", originHeader);
40 
+            response.setHeader("Access-Control-Allow-Credentials", "true");
41 
+            response.setHeader("Access-Control-Allow-Methods", "POST, GET, DELETE, PUT");
42 
+            response.setHeader("Access-Control-Max-Age", "31536000");
43 
+            response.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Requested-With");
44 
+        } else {
45 
+            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
46 
+            return;
43 47 
         }
44 
-        response.setHeader("Access-Control-Allow-Credentials", "true");
45 
-        response.setHeader("Access-Control-Allow-Methods", "POST, GET,DELETE,PUT");
46 
-        response.setHeader("Access-Control-Max-Age", "31536000");
47 
-        response.setHeader("Access-Control-Allow-Headers", "*");
48 
+
48 49 
         if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
49 50 
             response.setStatus(HttpServletResponse.SC_OK);
50 51 
         } else {