tomcat CORS跨域资源共享漏洞
warning:
这篇文章距离上次修改已过266天,其中的内容可能已经有所变动。
CORS跨域资源共享(Cross-Origin Resource Sharing, CORS)是一种机制,它使用额外的HTTP头来告诉浏览器跨域的网页上的资源应该如何被加载。如果配置不当,可能会导致安全问题,比如Tomcat CORS跨域资源共享漏洞。
解决方法:
- 在Tomcat的配置文件中设置CORS过滤器,以指定哪些域可以访问资源,以及允许哪些HTTP方法和头信息。
示例配置(在web.xml中添加):
<filter>
<filter-name>CORS</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
<init-param>
<param-name>cors.allowOrigin</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.supportedMethods</param-name>
<param-value>GET, POST, HEAD</param-value>
</init-param>
<init-param>
<param-name>cors.supportedHeaders</param-name>
<param-value>Accept, Origin, X-Requested-With, Content-Type, Last-Modified</param-value>
</init-param>
<init-param>
<param-name>cors.exposedHeaders</param-name>
<param-value>Set-Cookie</param-value>
</init-param>
<init-param>
<param-name>cors.supportsCredentials</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CORS</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>- 使用Tomcat的安全库
catalina.jar中的org.apache.catalina.filters.CorsFilter类。
示例配置(在web.xml中添加):
<filter>
<filter-name>CORS</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET, POST, HEAD, OPTIONS</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers</pa
评论已关闭