安全扫描，referer只排除common接口

3 weeks ago · 6c642ef0ba
1 changed files with 25 additions and 15 deletions
--- a/data-center-business-controller/src/main/java/com/techsor/datacenter/business/configurator/CrosXssFilter.java
+++ b/data-center-business-controller/src/main/java/com/techsor/datacenter/business/configurator/CrosXssFilter.java
@ -50,8 +50,12 @@ public class CrosXssFilter implements Filter {
                	HttpServletResponse httpServletResponse = (HttpServletResponse) response;
                	HttpServletRequest httpRequest = (HttpServletRequest) request;
                    String requestUri = httpRequest.getRequestURI();
                    // 当 URL 不包含 /common/ 时，校验 Referer
                    if (!requestUri.contains("/common/")) {
                        String referer = httpRequest.getHeader("Referer");
-                    if (StringUtils.isNotBlank(referer) && !"*".equals(accessControlAllowOrigin)) {
+                        if (StringUtils.isNotBlank(referer)){
                            if(!"*".equals(accessControlAllowOrigin)){
                                // 允许多个域名，逗号分隔
                                String[] allowedOrigins = accessControlAllowOrigin.split(",");
                                boolean matched = false;
@ -69,6 +73,12 @@ public class CrosXssFilter implements Filter {
                                    return;
                                }
                            }
                        } else {
                            logger.error("Referer required....");
                            httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Invalid Referer");
                            return;
                        }
                    }
                    httpServletResponse.setHeader("Cache-Control", "no-store, no-cache, must-revalidate, max-age=0");