1. Cross-domain filter CorsFilter
It is an implementation of cross-domain resource sharing specifications, and is often used for front-end separation, static resources and back-end separation, etc. It mainly adds the Access-Control-* header in HttpServletResponse, and also protects HTTP response from splitting. If the request is invalid or access is prohibited, it returns a 403 response code.
1.1. Configuration example
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class></filter-class>
<init-param>
<param-name></param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name></param-name>
<param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
</init-param>
<init-param>
<param-name></param-name>
<param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
</init-param>
<init-param>
<param-name></param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
</init-param>
<init-param>
<param-name></param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name></param-name>
<param-value>10</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
1.2. Parameter description
1、
A list of cross-domain resources allowed, "*" means that resources from any domain are allowed, multiple domains are separated by commas, and the default is "*"
2、
A list of HTTP methods that can be used to access resources, "," separated, for cross-domain requests. These methods will appear in part of the Prefligh response header Access-Control-Allow-Methods, which defaults to "GET, POST, HEAD, OPTIONS"
3、
The request headers that can be used when constructing a request, separated by "," and these methods will appear in part of the Prefligh response header Access-Control-Allow-Headers, default to Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers
4、
The browser allows access to the header information list, "," separated. These methods will appear in part of the Prefligh response header Access-Control-Allow-Headers, which defaults to empty.
5、
The time the browser allows cached Preflght request results in seconds. If negative, it means that CorsFilter will not add headers to the Preflight response, and these methods will appear in part of the Preflight response header Access-Control-Max-Age, which defaults to 1800.
6、
Indicates whether the resource supports user certificates. These methods will appear in the Prefligh response header Access-Control-Allow-Credentials, default to true
7、
Whether the Cors specification property has been added to the HttpServletRequest, defaults to true. CorsFiter will add request-related information to HttpServletRequest and configure it to true, then the following attributes will be added
1): Used to request whether it is a Cors request.
2): Source URL, the page URL from which the request originates.
3): Cors request type, as follows:
SIMPLE: Non-Preflight request is a lead request.
ACTUAL: A request led by a Preflight request.
PRE_FLIGHT:Preflight request
NOT_CORS: Normal requests for the same domain
INVALID_CORS:Invalid domain request
4): As the request header information sent by the Access-Control-Request-Header header request.
2. CSRF protection filter CsrfPreventionFilter
Provides basic CSRF protection for web applications. All links to the returned client are encoded by (String) and (String), the filter generates a random number and stores it in the session session for comparison, and the URL is encoded using this random number. When the next request is received, the random number in the request is compared with that in the session. The request is only allowed if the two are the same.
2.1. Configuration example
<filter>
<filter-name>CsrfPreventionFilter</filter-name>
<filter-class></filter-class>
<init-param>
<param-name>denyStatus</param-name>
<param-value>403</param-value>
</init-param>
<init-param>
<param-name>entryPoints</param-name>
<param-value>/html,/html/list</param-value>
</init-param>
<init-param>
<param-name>nonceCacheSize</param-name>
<param-value>5</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CsrfPreventionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
2.2. Parameter description
1. denyStatus: Is HTTP response? It is used to reject the rejection request. The default is 403
2. entryPoints: URL lists separated by "," will not be randomly detected (mainly used to leave the protected application through navigation and then return)
if ("GET".equals(()) && ((req))) {
skipNonceCheck = true;
}
3. nonceCacheSize: random number cache size. The previously published random numbers are cached into an LRU cache to support concurrent requests, limited use for behaviors such as browser refreshes (may cause the random numbers to be not current), default to 5
private int nonceCacheSize = 5;
....
if (nonceCache == null) {
nonceCache = new ();
if (session == null) {
session = (true);
}
(".CSRF_NONCE", nonceCache);
}
4. randomClass: The class used to generate random numbers must be an instance, if the default is not set
3. Prevent parameter loss filter FailedRequestFilter
The parameter resolution used to trigger the request. When the parameter resolution fails, the request will be rejected. This Filter is used to ensure that the parameter information submitted by the client is not lost. The principle of this filter is: call first (the first call will trigger the resolution of the request parameter of the Tomcat server. If the parameter parsing fails, put the result in the request attribute.parameter_parse_failed), and then judge the value of the attribute.parameter_parse_failed, and if it is not empty, it will directly return 400.
In order to correctly parse parameters, you need to set the character set encoding filter before the Filter. In addition, this filter does not support r initialization parameters
// Determine whether it is a valid request: .parameter_parse_failed is nullprivate boolean isGoodRequest(ServletRequest request) {
("none");
return (".parameter_parse_failed") == null;
}
4. Obtain the client IP filter RemoteAddrFilter
Allows comparison of the submitted client IP address (by obtaining) to comply with the specified regular expression.
4.1. Configuration example
<filter>
<filter-name>Remote Address Filter</filter-name>
<filter-class></filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Remote Address Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
4.2. Parameter description
1. Allow: Specify the IP address of the client that is allowed to access
2. deny: the client address that is denied access
3. denyStatus: Is the HTTP response returned when the request is rejected?
5. Obtain the client Host filter RemoteHostFilter
Allows comparison to whether the client hostname submitted the request meets the specified regular expression,To determine whether to allow continued processing of the request。 Parameters are the same as RemoteAddrFilter
6. Obtain the original client IP filter RemoteIpFilter
When the client accesses the server through HTTP proxy or load balancing, for the server, the request directly originates from the pre-proxy server, and the remote IP obtained at this time is actually the IP address of the proxy server.
6.1. How to obtain the IP address of the original client
The HTTP protocol records the IP address of the client to the application server's pre-proxy through the X-Forwarded-For header information. RemoteIpFilter resolves the request header and replaces the IP address and host name in the request with the real IP address and host information of the client. In addition, the current protocol name http/https, server port and can be replaced by the X-Forwardred-Proto request header.
The format of X-Forwarded-For is as follows:
X-Forwarded-For: client, proxy1, proxy2
The leftmost client is the most original client IP. As in the above example, the client has passed the three-level proxy1, proxy2, and proxy3 (the last layer of proxy3 is not displayed, and is obtained by obtaining it). In the case of load balancing, RemoteAddrFilter and RemoteHostFilter need to be used with this filter, otherwise access to the client cannot be properly restricted.
Usually we use the following Java code to obtain X-Forwarded-For:
public static String getIp(HttpServletRequest request) {
String requestAddr = ("x-forwarded-for");
if (requestAddr == null || () == 0 || "unknown".equalsIgnoreCase(requestAddr)) {
requestAddr = ("Proxy-Client-IP");
}
if (requestAddr == null || () == 0 || "unknown".equalsIgnoreCase(requestAddr)) {
requestAddr = ("WL-Proxy-Client-IP");
}
if (requestAddr == null || () == 0 || "unknown".equalsIgnoreCase(requestAddr)) {
requestAddr = ();
}
return requestAddr;
}
6.2. Configuration example
1) Basic processing of the configuration of X-Forwarded-For header
<filter>
<filter-name>RemoteIpFilter</filter-name>
<filter-class></filter-class>
</filter>
<filter-mapping>
<filter-name>RemoteIpFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
2) Handle the configuration of X-Forwarded-For and x-forwarded-proto headers
<filter>
<filter-name>RemoteIpFilter</filter-name>
<filter-class></filter-class>
<init-param>
<param-name>protocolHeader</param-name>
<param-value>x-forwarded-proto</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>RemoteIpFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
3) Advanced configuration using internal proxy
<filter>
<filter-name>RemoteIpFilter</filter-name>
<filter-class></filter-class>
<init-param>
<param-name>allowedInternalProxies</param-name>
<param-value>192\.168\.0\.10|192\.168\.0\.11</param-value>
</init-param>
<init-param>
<param-name>remoteIpHeader</param-name>
<param-value>x-forwarded-for</param-value>
</init-param>
<init-param>
<param-name>remoteIpProxiesHeader</param-name>
<param-value>x-forwarded-by</param-value>
</init-param>
<init-param>
<param-name>protocolHeader</param-name>
<param-value>x-forwarded-proto</param-value>
</init-param>
</filter>
4) Advanced configuration using trusted proxy
<filter>
<filter-name>RemoteIpFilter</filter-name>
<filter-class></filter-class>
<init-param>
<param-name>allowedInternalProxies</param-name>
<param-value>192\.168\.0\.10|192\.168\.0\.11</param-value>
</init-param>
<init-param>
<param-name>remoteIpHeader</param-name>
<param-value>x-forwarded-for</param-value>
</init-param>
<init-param>
<param-name>remoteIpProxiesHeader</param-name>
<param-value>x-forwarded-by</param-value>
</init-param>
<init-param>
<param-name>trustedProxies</param-name>
<param-value>proxy1|proxy2</param-value>
</init-param>
</filter>
7. Character set encoding filter SetCharacterEncodingFilter
It provides a way to set character set encoding. Usually, the default ISO-8859-1 encoding is defaulted, but the actual production environment recommends using UTF-8 encoding, and the encoding in the request can be used when no encoding is specified or overridden.
7.1. Configuration example
<filter>
<filter-name>SetCharacterEncodingFilter</filter-name>
<filter-class></filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>ignore</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SetCharacterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
7.2. Parameter description
1. encoding: the specified character set encoding
2.ignore: indicates whether the character set encoding set set by the client request is ignored. If true, the requested character set encoding will be overwritten. If false, the request does not specify the character set encoding. Default is false
The above is a detailed explanation of Tomcat's commonly used filters. For more information about Tomcat filters, please follow my other related articles!