我遵循了https://spring.io/guides/gs/rest-service-cors/,并向我的API端点之一添加了这样的随机IP-
@Produces(MediaType.APPLICATION_JSON)
@CrossOrigin(origins = "116.206.111.61")
public XAmount getBalance(@Context SecurityContext security) {
String customer = null;
.. API code goes here ..
}
}
我希望现在只能通过此API接受来自此IP的请求,因此希望来自客户端的请求失败。但是,这没有发生。
我可以从另一个服务器请求IP,例如IP1。更改后,这是请求日志-
2020-06-05 09:36:57,407 283453 [XNIO-3 task-1] INFO [LoggingFilter.java:155] - 1 * Server has received a request on thread XNIO-3 task-1
1 > GET http://sandbox-server.com/service/v2/api
1 > Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
1 > Accept-Encoding: gzip
1 > Authorization: Bearer <token>
1 > Cache-Control: no-cache
1 > Connection: close
1 > Content-Type: application/x-www-form-urlencoded; charset=UTF-8
1 > Host: <domain of API>
1 > Pragma: no-cache
1 > User-Agent: Java/1.7.0_79
1 > X-Forwarded-For: <IP - source server from which API call is made>, <some other IP>, <yet another IP>, <yet another IP>
1 > X-Forwarded-Host: <domain of API>
1 > X-Forwarded-Port: 443
1 > X-Forwarded-Proto: https
1 > X-Forwarded-Server: <domain of API>
可以看出,我在X-Forwarded-For下列出的第一个IP中获得了发出请求的服务器的IP。其余IP似乎是通过其路由的服务器。 我在@CrossOrigin-> origins中添加了一个不同的IP,但该请求仍然可以正常工作。还有什么需要做的?
顺便说一下,这是我们的沙盒服务器。我在生产中检查了相同的API日志,但未进行此更改。在那里,我看不到X-Forwarded-For。相反,我看到了Client-IP标头-
2019-06-13 07:04:13,357 248327 [XNIO-3 task-17] INFO [LoggingFilter.java:155] - 47 * Server has received a request on thread XNIO-3 task-17
47 > GET domain-of-api/service/v2/api
47 > Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
47 > Accept-Encoding: gzip
47 > Authorization: Bearer <token>
47 > Cache-Control: no-cache
47 > Client-IP: <IP of an internal server via which traffic is routed>
47 > Connection: Close
47 > Content-Type: application/x-www-form-urlencoded; charset=UTF-8
47 > Host: <domain of API>
47 > Pragma: no-cache
47 > User-Agent: Java/1.7.0_111
无论我做出什么更改,我都需要能够在沙盒上进行测试。