java Cors 过滤器 - 允许所有子域
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/27147737/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Cors Filter - Allow all sub domains
提问by Urbanleg
I would like my CorsFilter to do the following:
我希望我的 CorsFilter 执行以下操作:
// populating the header required for CORS
response.addHeader(
"Access-Control-Allow-Origin",
"https://*.myDomain.com");
The whole idea is to allow the following domains to make a request: sub1.myDomain.com, sub2.myDomain.com, sub3.myDomain.com .... sub100.myDomain.com
整个想法是允许以下域发出请求:sub1.myDomain.com、sub2.myDomain.com、sub3.myDomain.com .... sub100.myDomain.com
This didn't work for me. How can I achieve this? Iv'e tried:
这对我不起作用。我怎样才能做到这一点?我试过了:
response.addHeader(
"Access-Control-Allow-Origin",
"*.myDomain.com");
as well with no success.
也没有成功。
回答by Loc
I am having the similar question and the answer is Yes.
我有类似的问题,答案是肯定的。
Here is my solution ( Handling Access-Control-Allow-Origin based on the origin header)
这是我的解决方案(根据原始标头处理 Access-Control-Allow-Origin)
1. Parse host from the 'origin' header
1.从'origin'头解析主机
// origin
String origin = request.getHeader("Origin");
URL originUrl = null;
try {
originUrl = new URL(origin);
} catch (MalformedURLException ex) {
}
// originUrl.getHost() -> Return the host need to be verified
2. Check originUrl.getHost()
2. 检查 originUrl.getHost()
// Allow myDomain.com
// Or anySubDomain.myDomain.com
// Or subSub.anySubDomain.myDomain.com
// hostAllowedPattern
Pattern hostAllowedPattern = Pattern.compile("(.+\.)*myDomain\.com", Pattern.CASE_INSENSITIVE);
// Allow host?
if (hostAllowedPattern.matcher(originUrl.getHost()).matches()) {
response.addHeader("Access-Control-Allow-Origin", origin);
} else {
// Throw 403 status OR send default allow
response.addHeader("Access-Control-Allow-Origin", "https://my_domain.com");
}
3. Result:
3. 结果:
// If 'origin': https://sub1.myDomain.com --> Matched
Access-Control-Allow-Origin: https://sub1.myDomain.com
// If 'origin': https://sub2.myDomain.com --> Matched
Access-Control-Allow-Origin: https://sub2.myDomain.com
// If 'origin': https://notAllowDomain.com --> Not Matched
Access-Control-Allow-Origin: https://my_domain.com
4. Others:
4. 其他:
You need to verify scheme & port too.
回答by Paulius Matulionis
You can't, it's either full domain, nullor all: *.
你不能,它要么是完整的域,null要么是全部:*。
Like spec says: http://www.w3.org/TR/cors/#access-control-allow-origin-response-header
就像规范说的:http: //www.w3.org/TR/cors/#access-control-allow-origin-response-header
