如何在 Wildfly 10 中允许多个不同的来源
How to allow several different origins in Wildfly 10
我的目标是允许多个 但不是全部 来源将 http 请求发送到我的 Wildfly 10。我已经搜索了 Whosebug,但到目前为止还没有找到关于这个主题的任何内容。互联网上的人们都建议使用通配符,但这实际上可能是一个安全漏洞。是的,Access-Control-Allow-Origin 的通配符确实有效,但我不想只允许任何来源。我已经为 undertow 子系统尝试了这个 standalone.xml 部分(未成功):
<subsystem xmlns="urn:jboss:domain:undertow:3.1">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" max-post-size="314572800" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<filter-ref name="Access-Control-Allow-Origin-header1"/>
<filter-ref name="Access-Control-Allow-Origin-header2"/>
<filter-ref name="Access-Control-Allow-Origin-header3"/>
<filter-ref name="Access-Control-Allow-Methods-header"/>
<filter-ref name="Access-Control-Allow-Headers-header"/>
<filter-ref name="Access-Control-Allow-Credentials-header"/>
<filter-ref name="Access-Control-Max-Age-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/10"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
<response-header name="Access-Control-Allow-Origin-header1" header-name="Access-Control-Allow-Origin" header-value="http://122.22.22.24:*"/>
<response-header name="Access-Control-Allow-Origin-header2" header-name="Access-Control-Allow-Origin" header-value="http://122.22.22.21:*"/>
<response-header name="Access-Control-Allow-Origin-header3" header-name="Access-Control-Allow-Origin" header-value="http://122.22.22.22:*"/>
<response-header name="Access-Control-Allow-Methods-header" header-name="Access-Control-Allow-Methods" header-value="GET, POST, OPTIONS, PUT"/>
<response-header name="Access-Control-Allow-Headers-header" header-name="Access-Control-Allow-Headers" header-value="accept, authorization, content-type, x-requested-with"/>
<response-header name="Access-Control-Allow-Credentials-header" header-name="Access-Control-Allow-Credentials" header-value="true"/>
<response-header name="Access-Control-Max-Age-header" header-name="Access-Control-Max-Age" header-value="1"/>
</filters>
</subsystem>
我做错了什么?
这个很好的 article 正在解释一种方法,使用 Undertow expression-filter 针对一些白名单域验证来源(建模为 multi-valued|-分隔列表):
<property name=”cors.whitelist” value=”http://domainA|http://domainB"/>
所有学分归文章作者:-)
我的目标是允许多个 但不是全部 来源将 http 请求发送到我的 Wildfly 10。我已经搜索了 Whosebug,但到目前为止还没有找到关于这个主题的任何内容。互联网上的人们都建议使用通配符,但这实际上可能是一个安全漏洞。是的,Access-Control-Allow-Origin 的通配符确实有效,但我不想只允许任何来源。我已经为 undertow 子系统尝试了这个 standalone.xml 部分(未成功):
<subsystem xmlns="urn:jboss:domain:undertow:3.1">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" max-post-size="314572800" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<filter-ref name="Access-Control-Allow-Origin-header1"/>
<filter-ref name="Access-Control-Allow-Origin-header2"/>
<filter-ref name="Access-Control-Allow-Origin-header3"/>
<filter-ref name="Access-Control-Allow-Methods-header"/>
<filter-ref name="Access-Control-Allow-Headers-header"/>
<filter-ref name="Access-Control-Allow-Credentials-header"/>
<filter-ref name="Access-Control-Max-Age-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/10"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
<response-header name="Access-Control-Allow-Origin-header1" header-name="Access-Control-Allow-Origin" header-value="http://122.22.22.24:*"/>
<response-header name="Access-Control-Allow-Origin-header2" header-name="Access-Control-Allow-Origin" header-value="http://122.22.22.21:*"/>
<response-header name="Access-Control-Allow-Origin-header3" header-name="Access-Control-Allow-Origin" header-value="http://122.22.22.22:*"/>
<response-header name="Access-Control-Allow-Methods-header" header-name="Access-Control-Allow-Methods" header-value="GET, POST, OPTIONS, PUT"/>
<response-header name="Access-Control-Allow-Headers-header" header-name="Access-Control-Allow-Headers" header-value="accept, authorization, content-type, x-requested-with"/>
<response-header name="Access-Control-Allow-Credentials-header" header-name="Access-Control-Allow-Credentials" header-value="true"/>
<response-header name="Access-Control-Max-Age-header" header-name="Access-Control-Max-Age" header-value="1"/>
</filters>
</subsystem>
我做错了什么?
这个很好的 article 正在解释一种方法,使用 Undertow expression-filter 针对一些白名单域验证来源(建模为 multi-valued|-分隔列表):
<property name=”cors.whitelist” value=”http://domainA|http://domainB"/>
所有学分归文章作者:-)