update referer check

o2server/x_base_core_project/src/main/java/com/x/base/core/project/config/ApplicationServer.java

@@ -12,26 +12,18 @@ public class ApplicationServer extends ConfigObject {
 	private static final long serialVersionUID = 4182216855396608843L;
 
 	public static ApplicationServer defaultInstance() {
-		return new ApplicationServer();
+		ApplicationServer o = new ApplicationServer();
+		o.enable = true;
+		o.port = DEFAULT_PORT;
+		o.sslEnable = false;
+		o.proxyHost = "";
+		o.proxyPort = DEFAULT_PORT;
+		o.includes = new CopyOnWriteArrayList<>();
+		o.excludes = new CopyOnWriteArrayList<>();
+		return o;
 	}
 
 	private static final Integer DEFAULT_PORT = 80;
-	private static final Boolean DEFAULT_STATENABLE = true;
-	private static final String DEFAULT_STATEXCLUSIONS = "*.js,*.gif,*.jpg,*.png,*.css,*.ico";
-	private static final Boolean DEFAULT_EXPOSEJEST = true;
-
-	public ApplicationServer() {
-		this.enable = true;
-		this.port = DEFAULT_PORT;
-		this.sslEnable = false;
-		this.proxyHost = "";
-		this.proxyPort = DEFAULT_PORT;
-		this.includes = new CopyOnWriteArrayList<>();
-		this.excludes = new CopyOnWriteArrayList<>();
-		this.statEnable = DEFAULT_STATENABLE;
-		this.statExclusions = DEFAULT_STATEXCLUSIONS;
-		this.exposeJest = DEFAULT_EXPOSEJEST;
-	}
 
 	@FieldDescribe("是否启用")
 	private Boolean enable;
@@ -47,24 +39,6 @@ public class ApplicationServer extends ConfigObject {
 	private CopyOnWriteArrayList<String> includes;
 	@FieldDescribe("选择不承载的应用,和includes的值配合使用可以选择或者排除承载的应用,可以使用*作为通配符.")
 	private CopyOnWriteArrayList<String> excludes;
-	@FieldDescribe("启用统计,默认启用统计.")
-	private Boolean statEnable;
-	@FieldDescribe("统计忽略路径,默认忽略*.js,*.gif,*.jpg,*.png,*.css,*.ico")
-	private String statExclusions;
-	@FieldDescribe("暴露jest接口.")
-	private Boolean exposeJest;
-
-	public Boolean getExposeJest() {
-		return BooleanUtils.isNotFalse(this.exposeJest);
-	}
-
-	public String getStatExclusions() {
-		return (StringUtils.isEmpty(statExclusions) ? DEFAULT_STATEXCLUSIONS : this.statExclusions) + ",/druid/*";
-	}
-
-	public Boolean getStatEnable() {
-		return BooleanUtils.isNotFalse(statEnable);
-	}
 
 	public Boolean getEnable() {
 		return BooleanUtils.isTrue(this.enable);

o2server/x_base_core_project/src/main/java/com/x/base/core/project/config/CenterServer.java

@@ -19,25 +19,17 @@ public class CenterServer extends ConfigObject {
 	private static final Boolean DEFAULT_ENABLE = true;
 	private static final Integer DEFAULT_PORT = 80;
 	private static final Integer DEFAULT_ORDER = 0;
-	private static final Boolean DEFAULT_STATENABLE = true;
-	private static final String DEFAULT_STATEXCLUSIONS = "*.js,*.gif,*.jpg,*.png,*.css,*.ico";
-	private static final Boolean DEFAULT_EXPOSEJEST = true;
 
 	public static CenterServer defaultInstance() {
-		return new CenterServer();
-	}
-
-	public CenterServer() {
-		this.enable = DEFAULT_ENABLE;
-		this.sslEnable = false;
-		this.order = DEFAULT_ORDER;
-		this.port = DEFAULT_PORT;
-		this.httpProtocol = "";
-		this.proxyHost = "";
-		this.proxyPort = DEFAULT_PORT;
-		this.statEnable = DEFAULT_STATENABLE;
-		this.statExclusions = DEFAULT_STATEXCLUSIONS;
-		this.exposeJest = DEFAULT_EXPOSEJEST;
+		CenterServer o = new CenterServer();
+		o.enable = DEFAULT_ENABLE;
+		o.sslEnable = false;
+		o.order = DEFAULT_ORDER;
+		o.port = DEFAULT_PORT;
+		o.httpProtocol = "";
+		o.proxyHost = "";
+		o.proxyPort = DEFAULT_PORT;
+		return o;
 	}
 
 	@FieldDescribe("是否启用")
@@ -54,24 +46,6 @@ public class CenterServer extends ConfigObject {
 	private String proxyHost;
 	@FieldDescribe("代理端口,当服务器是通过apache/nginx等代理服务器映射到公网或者通过路由器做端口映射,在这样的情况下需要设置此地址以标明公网访问端口.")
 	private Integer proxyPort;
-	@FieldDescribe("启用统计,默认启用统计.")
-	private Boolean statEnable;
-	@FieldDescribe("统计忽略路径,默认忽略*.js,*.gif,*.jpg,*.png,*.css,*.ico")
-	private String statExclusions;
-	@FieldDescribe("暴露jest接口.")
-	private Boolean exposeJest;
-
-	public Boolean getExposeJest() {
-		return BooleanUtils.isNotFalse(this.exposeJest);
-	}
-
-	public String getStatExclusions() {
-		return (StringUtils.isEmpty(statExclusions) ? DEFAULT_STATEXCLUSIONS : this.statExclusions) + ",/druid/*";
-	}
-
-	public Boolean getStatEnable() {
-		return BooleanUtils.isNotFalse(statEnable);
-	}
 
 	public Boolean getEnable() {
 		return enable == null ? DEFAULT_ENABLE : this.enable;

o2server/x_base_core_project/src/main/java/com/x/base/core/project/config/Config.java

@@ -882,8 +882,8 @@ public class Config {
 		String n = resource_node_centersPirmaryNode();
 		Integer p = resource_node_centersPirmaryPort();
 		Boolean s = resource_node_centersPirmarySslEnable();
-		StringBuffer buffer = new StringBuffer();
-		if (s) {
+		StringBuilder buffer = new StringBuilder();
+		if (BooleanUtils.isTrue(s)) {
 			buffer.append("https://").append(n);
 			if (!NumberTools.valueEuqals(p, 443)) {
 				buffer.append(":").append(p);
@@ -904,12 +904,11 @@ public class Config {
 		return buffer.toString();
 	}
 
-	public static String url_x_program_center_jaxrs(Entry<String, CenterServer> entry, String... paths)
-			throws Exception {
+	public static String url_x_program_center_jaxrs(Entry<String, CenterServer> entry, String... paths) {
 		String n = entry.getKey();
 		Integer p = entry.getValue().getPort();
-		Boolean s = entry.getValue().getSslEnable();
-		StringBuffer buffer = new StringBuffer();
+		boolean s = entry.getValue().getSslEnable();
+		StringBuilder buffer = new StringBuilder();
 		if (s) {
 			buffer.append("https://").append(n);
 			if (!NumberTools.valueEuqals(p, 443)) {
@@ -925,7 +924,7 @@ public class Config {
 		buffer.append("/jaxrs/");
 		List<String> os = new ArrayList<>();
 		for (String path : paths) {
-			os.add(URLEncoder.encode(StringUtils.strip(path, "/"), DefaultCharset.name));
+			os.add(URLEncoder.encode(StringUtils.strip(path, "/"), StandardCharsets.UTF_8));
 		}
 		buffer.append(StringUtils.join(os, "/"));
 		return buffer.toString();
@@ -941,123 +940,9 @@ public class Config {
 			}
 			instance().messages = obj;
 		}
-//		if (null == instance().messages) {
-//			Messages obj = Messages.defaultInstance();
-//			Messages custom = BaseTools.readConfigObject(PATH_CONFIG_MESSAGES, Messages.class);
-//			if (null != custom) {
-//				custom.entrySet().stream().forEach(o -> {
-//					obj.put(o.getKey(), new Message(o.getValue().getConsumers(), o.getValue().getConsumersV2()));
-//				});
-//			}
-//			instance().messages = obj;
-//		}
 		return instance().messages;
 	}
 
-//	private MessageRestful messageRestful;
-//
-//	public static synchronized MessageRestful messageRestful() throws Exception {
-//		if (null == instance().messageRestful) {
-//			MessageRestful obj = BaseTools.readConfigObject(PATH_CONFIG_MESSAGERESTFUL, MessageRestful.class);
-//			if (null == obj) {
-//				obj = MessageRestful.defaultInstance();
-//			}
-//			instance().messageRestful = obj;
-//		}
-//		return instance().messageRestful;
-//	}
-//
-//	private MessageMq messageMq;
-//
-//	public static synchronized MessageMq messageMq() throws Exception {
-//		if (null == instance().messageMq) {
-//			MessageMq obj = BaseTools.readConfigObject(PATH_CONFIG_MESSAGEMQ, MessageMq.class);
-//			if (null == obj) {
-//				obj = MessageMq.defaultInstance();
-//			}
-//			instance().messageMq = obj;
-//		}
-//		return instance().messageMq;
-//	}
-//
-//	private MessageMail messageMail;
-//
-//	public static synchronized MessageMail messageMail() throws Exception {
-//		if (null == instance().messageMail) {
-//			MessageMail obj = BaseTools.readConfigObject(PATH_CONFIG_MESSAGEMAIL, MessageMail.class);
-//			if (null == obj) {
-//				obj = MessageMail.defaultInstance();
-//			}
-//			instance().messageMail = obj;
-//		}
-//		return instance().messageMail;
-//	}
-//
-//	private MessageApi messageApi;
-//
-//	public static synchronized MessageApi messageApi() throws Exception {
-//		if (null == instance().messageApi) {
-//			MessageApi obj = BaseTools.readConfigObject(PATH_CONFIG_MESSAGEAPI, MessageApi.class);
-//			if (null == obj) {
-//				obj = MessageApi.defaultInstance();
-//			}
-//			instance().messageApi = obj;
-//		}
-//		return instance().messageApi;
-//	}
-//
-//	private MessageJdbc messageJdbc;
-//
-//	public static synchronized MessageJdbc messageJdbc() throws Exception {
-//		if (null == instance().messageJdbc) {
-//			MessageJdbc obj = BaseTools.readConfigObject(PATH_CONFIG_MESSAGEJDBC, MessageJdbc.class);
-//			if (null == obj) {
-//				obj = MessageJdbc.defaultInstance();
-//			}
-//			instance().messageJdbc = obj;
-//		}
-//		return instance().messageJdbc;
-//	}
-//
-//	private MessageTable messageTable;
-//
-//	public static synchronized MessageTable messageTable() throws Exception {
-//		if (null == instance().messageTable) {
-//			MessageTable obj = BaseTools.readConfigObject(PATH_CONFIG_MESSAGETABLE, MessageTable.class);
-//			if (null == obj) {
-//				obj = MessageTable.defaultInstance();
-//			}
-//			instance().messageTable = obj;
-//		}
-//		return instance().messageTable;
-//	}
-//
-//	private MessageHadoop messageHadoop;
-//
-//	public static synchronized MessageHadoop messageHadoop() throws Exception {
-//		if (null == instance().messageHadoop) {
-//			MessageHadoop obj = BaseTools.readConfigObject(PATH_CONFIG_MESSAGEHADOOP, MessageHadoop.class);
-//			if (null == obj) {
-//				obj = MessageHadoop.defaultInstance();
-//			}
-//			instance().messageHadoop = obj;
-//		}
-//		return instance().messageHadoop;
-//	}
-
-//	private String messageSendRuleScript;
-//
-//	public static synchronized String messageSendRuleScript() throws Exception {
-//		if (null == instance().messageSendRuleScript) {
-//			String scriptStr = BaseTools.readString(PATH_CONFIG_MESSAGES_SEND_RULE);
-//			if (scriptStr == null) {
-//				scriptStr = "";
-//			}
-//			instance().messageSendRuleScript = scriptStr;
-//		}
-//		return instance().messageSendRuleScript;
-//	}
-
 	private JpushConfig pushConfig;
 
 	public static synchronized JpushConfig pushConfig() throws Exception {

o2server/x_base_core_project/src/main/java/com/x/base/core/project/config/General.java

@@ -7,6 +7,7 @@ import java.util.List;
 
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang3.BooleanUtils;
+import org.apache.commons.lang3.StringUtils;
 
 import com.x.base.core.project.annotation.FieldDescribe;
 import com.x.base.core.project.gson.XGsonBuilder;
@@ -27,6 +28,12 @@ public class General extends ConfigObject {
 	private static final Boolean DEFAULT_DEPLOYRESOURCEENABLE = false;
 	private static final Boolean DEFAULT_DEPLOYWARENABLE = false;
 
+	private static final Boolean DEFAULT_STATENABLE = true;
+	private static final String DEFAULT_STATEXCLUSIONS = "*.js,*.gif,*.jpg,*.png,*.css,*.ico";
+	private static final Boolean DEFAULT_EXPOSEJEST = true;
+	private static final String DEFAULT_REFERERHEADCHECKREGULAR = "";
+	private static final String DEFAULT_ACCESSCONTROLALLOWORIGIN = "";
+
 	public static General defaultInstance() {
 		General o = new General();
 		o.webSocketEnable = DEFAULT_WEBSOCKETENABLE;
@@ -37,6 +44,11 @@ public class General extends ConfigObject {
 		o.requestLogBodyEnable = DEFAULT_REQUESTLOGBODYENABLE;
 		o.deployResourceEnable = DEFAULT_DEPLOYRESOURCEENABLE;
 		o.deployWarEnable = DEFAULT_DEPLOYWARENABLE;
+		o.statEnable = DEFAULT_STATENABLE;
+		o.statExclusions = DEFAULT_STATEXCLUSIONS;
+		o.exposeJest = DEFAULT_EXPOSEJEST;
+		o.refererHeadCheckRegular = DEFAULT_REFERERHEADCHECKREGULAR;
+		o.accessControlAllowOrigin = DEFAULT_ACCESSCONTROLALLOWORIGIN;
 		return o;
 	}
 
@@ -61,9 +73,46 @@ public class General extends ConfigObject {
 	@FieldDescribe("是否允许部署静态资源.")
 	private Boolean deployResourceEnable;
 
+	@FieldDescribe("启用统计,默认启用统计.")
+	private Boolean statEnable;
+
+	@FieldDescribe("统计忽略路径,默认忽略*.js,*.gif,*.jpg,*.png,*.css,*.ico")
+	private String statExclusions;
+
+	@FieldDescribe("暴露jest接口.")
+	private Boolean exposeJest;
+
 	@FieldDescribe("脚本中禁止用的类名,保持为空则默认禁用Runtime,File,Path.")
 	private List<String> scriptingBlockedClasses;
 
+	@FieldDescribe("http referer 校验正则表达式,可以对CSRF攻击进行防护校验,样例:(.+?)o2oa.net(.+?)")
+	private String refererHeadCheckRegular = "";
+
+	@FieldDescribe("跨源资源共享许可,设置http返回的Access-Control-Allow-Origin标识,可以用于CORS攻击防护,样例:https://www.o2oa.net")
+	private String accessControlAllowOrigin = "";
+
+	public String getRefererHeadCheckRegular() {
+		return (StringUtils.isBlank(refererHeadCheckRegular) ? DEFAULT_REFERERHEADCHECKREGULAR
+				: this.refererHeadCheckRegular);
+	}
+
+	public String getAccessControlAllowOrigin() {
+		return (StringUtils.isBlank(accessControlAllowOrigin) ? DEFAULT_ACCESSCONTROLALLOWORIGIN
+				: this.accessControlAllowOrigin);
+	}
+
+	public Boolean getExposeJest() {
+		return BooleanUtils.isNotFalse(this.exposeJest);
+	}
+
+	public String getStatExclusions() {
+		return (StringUtils.isEmpty(statExclusions) ? DEFAULT_STATEXCLUSIONS : this.statExclusions) + ",/druid/*";
+	}
+
+	public Boolean getStatEnable() {
+		return BooleanUtils.isNotFalse(statEnable);
+	}
+
 	public Boolean getRequestLogEnable() {
 		return BooleanUtils.isTrue(this.requestLogEnable);
 	}

o2server/x_base_core_project/src/main/java/com/x/base/core/project/config/Node.java

@@ -4,7 +4,7 @@ import org.apache.commons.lang3.BooleanUtils;
 import org.apache.commons.lang3.StringUtils;
 
 import com.x.base.core.project.annotation.FieldDescribe;
-import com.x.base.core.project.tools.DateTools;
+import com.x.base.core.project.tools.CronTools;
 import com.x.base.core.project.tools.NumberTools;
 
 public class Node extends ConfigObject {
@@ -14,7 +14,7 @@ public class Node extends ConfigObject {
 	private static final Integer DEFAULT_NODEAGENTPORT = 20010;
 	private static final String DEFAULT_BANNER = "O2OA";
 	private static final Boolean DEFAULT_SELFHEALTHCHECKENABLE = false;
-	//private static final Integer DEFAULT_ORDER = 0;
+	// private static final Integer DEFAULT_ORDER = 0;
 
 	public static Node defaultInstance() {
 		Node o = new Node();
@@ -31,7 +31,7 @@ public class Node extends ConfigObject {
 		o.nodeAgentPort = DEFAULT_NODEAGENTPORT;
 		o.autoStart = true;
 		o.selfHealthCheckEnable = DEFAULT_SELFHEALTHCHECKENABLE;
-		//o.order = DEFAULT_ORDER;
+		// o.order = DEFAULT_ORDER;
 		return o;
 	}
 
@@ -148,7 +148,7 @@ public class Node extends ConfigObject {
 		}
 
 		public boolean available() {
-			return DateTools.cronAvailable(this.cron());
+			return CronTools.available(this.cron());
 		}
 
 		@FieldDescribe("是否启用,默认禁用.")
@@ -190,7 +190,7 @@ public class Node extends ConfigObject {
 		}
 
 		public boolean available() {
-			return DateTools.cronAvailable(this.cron) && StringUtils.isNotEmpty(this.path);
+			return CronTools.available(this.cron) && StringUtils.isNotEmpty(this.path);
 		}
 
 		@FieldDescribe("是否启用.")

o2server/x_base_core_project/src/main/java/com/x/base/core/project/config/TernaryManagement.java

@@ -334,7 +334,9 @@ public class TernaryManagement extends ConfigObject {
 		return this._systemManagerPassword;
 	}
 
-	public void setSystemManagerPassword(String systemManagerPassword) throws InvalidKeyException, NoSuchAlgorithmException, InvalidKeySpecException, NoSuchPaddingException, IllegalBlockSizeException, BadPaddingException, UnsupportedEncodingException {
+	public void setSystemManagerPassword(String systemManagerPassword)
+			throws InvalidKeyException, NoSuchAlgorithmException, InvalidKeySpecException, NoSuchPaddingException,
+			IllegalBlockSizeException, BadPaddingException, UnsupportedEncodingException {
 		this.systemManagerPassword = Crypto.formattedDefaultEncrypt(systemManagerPassword);
 	}
 
@@ -347,7 +349,9 @@ public class TernaryManagement extends ConfigObject {
 		return this._securityManagerPassword;
 	}
 
-	public void setSecurityManagerPassword(String securityManagerPassword) throws InvalidKeyException, NoSuchAlgorithmException, InvalidKeySpecException, NoSuchPaddingException, IllegalBlockSizeException, BadPaddingException, UnsupportedEncodingException {
+	public void setSecurityManagerPassword(String securityManagerPassword)
+			throws InvalidKeyException, NoSuchAlgorithmException, InvalidKeySpecException, NoSuchPaddingException,
+			IllegalBlockSizeException, BadPaddingException, UnsupportedEncodingException {
 		this.securityManagerPassword = Crypto.formattedDefaultEncrypt(securityManagerPassword);
 	}
 
@@ -359,7 +363,9 @@ public class TernaryManagement extends ConfigObject {
 		return this._auditManagerPassword;
 	}
 
-	public void setAuditManagerPassword(String auditManagerPassword) throws InvalidKeyException, NoSuchAlgorithmException, InvalidKeySpecException, NoSuchPaddingException, IllegalBlockSizeException, BadPaddingException, UnsupportedEncodingException {
+	public void setAuditManagerPassword(String auditManagerPassword)
+			throws InvalidKeyException, NoSuchAlgorithmException, InvalidKeySpecException, NoSuchPaddingException,
+			IllegalBlockSizeException, BadPaddingException, UnsupportedEncodingException {
 		this.auditManagerPassword = Crypto.formattedDefaultEncrypt(auditManagerPassword);
 	}
 }

o2server/x_base_core_project/src/main/java/com/x/base/core/project/config/Token.java

@@ -168,14 +168,14 @@ public class Token extends ConfigObject {
 
 	public List<Oauth> getOauths() {
 		if (null == this.oauths) {
-			return new ArrayList<Oauth>();
+			return new ArrayList<>();
 		}
 		return this.oauths;
 	}
 
 	public List<Sso> getSsos() {
 		if (null == this.ssos) {
-			return new ArrayList<Sso>();
+			return new ArrayList<>();
 		}
 		return this.ssos;
 	}
@@ -232,7 +232,7 @@ public class Token extends ConfigObject {
 		o.qq = "";
 		o.weibo = "";
 		o.mobile = "";
-		o.roleList = new ArrayList<String>();
+		o.roleList = new ArrayList<>();
 		o.roleList.add(OrganizationDefinition.toDistinguishedName(OrganizationDefinition.Manager));
 		o.roleList.add(OrganizationDefinition.toDistinguishedName(OrganizationDefinition.OrganizationManager));
 		o.roleList.add(OrganizationDefinition.toDistinguishedName(OrganizationDefinition.MeetingManager));

o2server/x_base_core_project/src/main/java/com/x/base/core/project/config/WebServer.java

@@ -10,23 +10,17 @@ public class WebServer extends ConfigObject {
 	private static final long serialVersionUID = 7240874589722986538L;
 
 	public static WebServer defaultInstance() {
-		return new WebServer();
-	}
-
-	public WebServer() {
-		this.enable = true;
-		this.port = DEFAULT_HTTP_PORT;
-		this.sslEnable = false;
-		this.proxyHost = "";
-		this.proxyPort = null;
-		this.statEnable = DEFAULT_STATENABLE;
-		this.statExclusions = DEFAULT_STATEXCLUSIONS;
+		WebServer o = new WebServer();
+		o.enable = true;
+		o.port = DEFAULT_HTTP_PORT;
+		o.sslEnable = false;
+		o.proxyHost = "";
+		o.proxyPort = null;
+		return o;
 	}
 
 	private static final Integer DEFAULT_HTTP_PORT = 80;
 	private static final Integer DEFAULT_HTTPS_PORT = 443;
-	private static final Boolean DEFAULT_STATENABLE = false;
-	private static final String DEFAULT_STATEXCLUSIONS = "*.gif,*.jpg,*.png,*.ico";
 	private static final Boolean DEFAULT_PROXYCENTERENABLE = true;
 	private static final Boolean DEFAULT_PROXYAPPLICATIONENABLE = true;
 	private static final Integer DEFAULT_PROXY_TIMEOUT = 300;
@@ -41,10 +35,6 @@ public class WebServer extends ConfigObject {
 	private String proxyHost;
 	@FieldDescribe("代理端口,当服务器是通过apache/nginx等代理服务器映射到公网或者通过路由器做端口映射,在这样的情况下需要设置此地址以标明公网访问端口.")
 	private Integer proxyPort;
-	@FieldDescribe("启用统计,默认启用统计.")
-	private Boolean statEnable;
-	@FieldDescribe("统计忽略路径,默认忽略*.gif,*.jpg,*.png,*.ico")
-	private String statExclusions;
 
 	@FieldDescribe("是否启用center服务器代理.")
 	private Boolean proxyCenterEnable;
@@ -63,14 +53,6 @@ public class WebServer extends ConfigObject {
 		return proxyApplicationEnable == null ? DEFAULT_PROXYAPPLICATIONENABLE : this.proxyApplicationEnable;
 	}
 
-	public String getStatExclusions() {
-		return (StringUtils.isEmpty(statExclusions) ? DEFAULT_STATEXCLUSIONS : this.statExclusions) + ",/druid/*";
-	}
-
-	public Boolean getStatEnable() {
-		return BooleanUtils.isNotFalse(statEnable);
-	}
-
 	public Boolean getEnable() {
 		return BooleanUtils.isTrue(this.enable);
 	}

o2server/x_base_core_project/src/main/java/com/x/base/core/project/connection/CipherConnectionAction.java

@@ -22,7 +22,7 @@ public class CipherConnectionAction {
 	public static ActionResponse get(Boolean xdebugger, String address) throws Exception {
 		List<NameValuePair> headers = cipher();
 		if (BooleanUtils.isTrue(xdebugger)) {
-			headers.add(new NameValuePair(HttpToken.X_Debugger, true));
+			headers.add(new NameValuePair(HttpToken.X_DEBUGGER, true));
 		}
 		return ConnectionAction.get(address, headers);
 	}
@@ -31,7 +31,7 @@ public class CipherConnectionAction {
 			throws Exception {
 		List<NameValuePair> headers = cipher();
 		if (BooleanUtils.isTrue(xdebugger)) {
-			headers.add(new NameValuePair(HttpToken.X_Debugger, true));
+			headers.add(new NameValuePair(HttpToken.X_DEBUGGER, true));
 		}
 		return ConnectionAction.get(connectTimeout, readTimeout, address, headers);
 	}
@@ -50,7 +50,7 @@ public class CipherConnectionAction {
 	public static byte[] getBinary(Boolean xdebugger, String address) throws Exception {
 		List<NameValuePair> headers = cipher();
 		if (BooleanUtils.isTrue(xdebugger)) {
-			headers.add(new NameValuePair(HttpToken.X_Debugger, true));
+			headers.add(new NameValuePair(HttpToken.X_DEBUGGER, true));
 		}
 		return ConnectionAction.getBinary(address, headers);
 	}
@@ -59,7 +59,7 @@ public class CipherConnectionAction {
 			throws Exception {
 		List<NameValuePair> headers = cipher();
 		if (BooleanUtils.isTrue(xdebugger)) {
-			headers.add(new NameValuePair(HttpToken.X_Debugger, true));
+			headers.add(new NameValuePair(HttpToken.X_DEBUGGER, true));
 		}
 		return ConnectionAction.getBinary(connectTimeout, readTimeout, address, headers);
 	}
@@ -78,7 +78,7 @@ public class CipherConnectionAction {
 	public static ActionResponse delete(Boolean xdebugger, String address) throws Exception {
 		List<NameValuePair> headers = cipher();
 		if (BooleanUtils.isTrue(xdebugger)) {
-			headers.add(new NameValuePair(HttpToken.X_Debugger, true));
+			headers.add(new NameValuePair(HttpToken.X_DEBUGGER, true));
 		}
 		return ConnectionAction.delete(address, headers);
 	}
@@ -87,7 +87,7 @@ public class CipherConnectionAction {
 			throws Exception {
 		List<NameValuePair> headers = cipher();
 		if (BooleanUtils.isTrue(xdebugger)) {
-			headers.add(new NameValuePair(HttpToken.X_Debugger, true));
+			headers.add(new NameValuePair(HttpToken.X_DEBUGGER, true));
 		}
 		return ConnectionAction.delete(connectTimeout, readTimeout, address, headers);
 	}
@@ -106,7 +106,7 @@ public class CipherConnectionAction {
 	public static byte[] deleteBinary(Boolean xdebugger, String address) throws Exception {
 		List<NameValuePair> headers = cipher();
 		if (BooleanUtils.isTrue(xdebugger)) {
-			headers.add(new NameValuePair(HttpToken.X_Debugger, true));
+			headers.add(new NameValuePair(HttpToken.X_DEBUGGER, true));
 		}
 		return ConnectionAction.deleteBinary(address, headers);
 	}
@@ -115,7 +115,7 @@ public class CipherConnectionAction {
 			throws Exception {
 		List<NameValuePair> headers = cipher();
 		if (BooleanUtils.isTrue(xdebugger)) {
-			headers.add(new NameValuePair(HttpToken.X_Debugger, true));
+			headers.add(new NameValuePair(HttpToken.X_DEBUGGER, true));
 		}
 		return ConnectionAction.deleteBinary(connectTimeout, readTimeout, address, headers);
 	}
@@ -134,7 +134,7 @@ public class CipherConnectionAction {
 	public static ActionResponse post(Boolean xdebugger, String address, Object body) throws Exception {
 		List<NameValuePair> headers = cipher();
 		if (BooleanUtils.isTrue(xdebugger)) {
-			headers.add(new NameValuePair(HttpToken.X_Debugger, true));
+			headers.add(new NameValuePair(HttpToken.X_DEBUGGER, true));
 		}
 		return ConnectionAction.post(address, headers, body);
 	}
@@ -143,7 +143,7 @@ public class CipherConnectionAction {
 			Object body) throws Exception {
 		List<NameValuePair> headers = cipher();
 		if (BooleanUtils.isTrue(xdebugger)) {
-			headers.add(new NameValuePair(HttpToken.X_Debugger, true));
+			headers.add(new NameValuePair(HttpToken.X_DEBUGGER, true));
 		}
 		return ConnectionAction.post(connectTimeout, readTimeout, address, headers, body);
 	}
@@ -163,7 +163,7 @@ public class CipherConnectionAction {
 	public static byte[] postBinary(Boolean xdebugger, String address, Object body) throws Exception {
 		List<NameValuePair> headers = cipher();
 		if (BooleanUtils.isTrue(xdebugger)) {
-			headers.add(new NameValuePair(HttpToken.X_Debugger, true));
+			headers.add(new NameValuePair(HttpToken.X_DEBUGGER, true));
 		}
 		return ConnectionAction.postBinary(address, headers, body);
 	}
@@ -172,7 +172,7 @@ public class CipherConnectionAction {
 			throws Exception {
 		List<NameValuePair> headers = cipher();
 		if (BooleanUtils.isTrue(xdebugger)) {
-			headers.add(new NameValuePair(HttpToken.X_Debugger, true));
+			headers.add(new NameValuePair(HttpToken.X_DEBUGGER, true));
 		}
 		return ConnectionAction.postBinary(connectTimeout, readTimeout, address, headers, body);
 	}
@@ -193,7 +193,7 @@ public class CipherConnectionAction {
 			Collection<FilePart> fileParts) throws Exception {
 		List<NameValuePair> headers = cipher();
 		if (BooleanUtils.isTrue(xdebugger)) {
-			headers.add(new NameValuePair(HttpToken.X_Debugger, true));
+			headers.add(new NameValuePair(HttpToken.X_DEBUGGER, true));
 		}
 		return ConnectionAction.postMultiPartBinary(address, headers, formFields, fileParts);
 	}
@@ -202,7 +202,7 @@ public class CipherConnectionAction {
 			Collection<FormField> formFields, Collection<FilePart> fileParts) throws Exception {
 		List<NameValuePair> headers = cipher();
 		if (BooleanUtils.isTrue(xdebugger)) {
-			headers.add(new NameValuePair(HttpToken.X_Debugger, true));
+			headers.add(new NameValuePair(HttpToken.X_DEBUGGER, true));
 		}
 		return ConnectionAction.postMultiPartBinary(connectTimeout, readTimeout, address, headers, formFields,
 				fileParts);
@@ -224,7 +224,7 @@ public class CipherConnectionAction {
 	public static ActionResponse put(Boolean xdebugger, String address, Object body) throws Exception {
 		List<NameValuePair> headers = cipher();
 		if (BooleanUtils.isTrue(xdebugger)) {
-			headers.add(new NameValuePair(HttpToken.X_Debugger, true));
+			headers.add(new NameValuePair(HttpToken.X_DEBUGGER, true));
 		}
 		return ConnectionAction.put(address, headers, body);
 	}
@@ -233,7 +233,7 @@ public class CipherConnectionAction {
 			Object body) throws Exception {
 		List<NameValuePair> headers = cipher();
 		if (BooleanUtils.isTrue(xdebugger)) {
-			headers.add(new NameValuePair(HttpToken.X_Debugger, true));
+			headers.add(new NameValuePair(HttpToken.X_DEBUGGER, true));
 		}
 		return ConnectionAction.put(connectTimeout, readTimeout, address, headers, body);
 	}
@@ -253,7 +253,7 @@ public class CipherConnectionAction {
 	public static byte[] putBinary(Boolean xdebugger, String address, Object body) throws Exception {
 		List<NameValuePair> headers = cipher();
 		if (BooleanUtils.isTrue(xdebugger)) {
-			headers.add(new NameValuePair(HttpToken.X_Debugger, true));
+			headers.add(new NameValuePair(HttpToken.X_DEBUGGER, true));
 		}
 		return ConnectionAction.putBinary(address, headers, body);
 	}
@@ -262,7 +262,7 @@ public class CipherConnectionAction {
 			throws Exception {
 		List<NameValuePair> headers = cipher();
 		if (BooleanUtils.isTrue(xdebugger)) {
-			headers.add(new NameValuePair(HttpToken.X_Debugger, true));
+			headers.add(new NameValuePair(HttpToken.X_DEBUGGER, true));
 		}
 		return ConnectionAction.putBinary(connectTimeout, readTimeout, address, headers, body);
 	}
@@ -283,7 +283,7 @@ public class CipherConnectionAction {
 			Collection<FilePart> fileParts) throws Exception {
 		List<NameValuePair> headers = cipher();
 		if (BooleanUtils.isTrue(xdebugger)) {
-			headers.add(new NameValuePair(HttpToken.X_Debugger, true));
+			headers.add(new NameValuePair(HttpToken.X_DEBUGGER, true));
 		}
 		return ConnectionAction.putMultiPartBinary(address, headers, formFields, fileParts);
 	}
@@ -292,7 +292,7 @@ public class CipherConnectionAction {
 			Collection<FormField> formFields, Collection<FilePart> fileParts) throws Exception {
 		List<NameValuePair> headers = cipher();
 		if (BooleanUtils.isTrue(xdebugger)) {
-			headers.add(new NameValuePair(HttpToken.X_Debugger, true));
+			headers.add(new NameValuePair(HttpToken.X_DEBUGGER, true));
 		}
 		return ConnectionAction.putMultiPartBinary(connectTimeout, readTimeout, address, headers, formFields,
 				fileParts);

o2server/x_base_core_project/src/main/java/com/x/base/core/project/http/FilterTools.java

@@ -5,30 +5,32 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang3.StringUtils;
 
+import com.google.common.net.HttpHeaders;
 import com.x.base.core.project.config.Config;
 
 public class FilterTools {
 
-	public static final String Access_Control_Allow_Origin = "Access-Control-Allow-Origin";
 	public static final String ORIGIN = "Origin";
-	public static final String Access_Control_Allow_Methods = "Access-Control-Allow-Methods";
-	public static final String Access_Control_Allow_Methods_Value = "GET, POST, OPTIONS, PUT, DELETE, HEAD, TRACE";
-	public static final String Access_Control_Allow_Headers = "Access-Control-Allow-Headers";
-	public static final String Access_Control_Allow_Headers_Value = "x-requested-with, x-request, c-token, Content-Type, Content-Length, x-cipher, x-client, x-debugger, Authorization, P-User-Id, P-Request-Id, P-Page-Id";
-	public static final String Access_Control_Allow_Credentials = "Access-Control-Allow-Credentials";
-	public static final String Access_Control_Expose_Headers = "Access-Control-Expose-Headers";
-	public static final String Access_Control_Max_Age = "Access-Control-Max-Age";
-	public static final String Access_Control_Max_Age_Value = "86400";
+	public static final String ACCESS_CONTROL_ALLOW_METHODS_VALUE = "GET, POST, OPTIONS, PUT, DELETE, HEAD, TRACE";
+	public static final String ACCESS_CONTROL_ALLOW_HEADERS_VALUE = "x-requested-with, x-request, c-token, Content-Type, Content-Length, x-cipher, x-client, x-debugger, Authorization, P-User-Id, P-Request-Id, P-Page-Id";
+	public static final String ACCESS_CONTROL_MAX_AGE_VALUE = "86400";
 
 	public static void allow(HttpServletRequest request, HttpServletResponse response) throws Exception {
-		String origin = request.getHeader(ORIGIN);
-		response.addHeader(Access_Control_Allow_Origin, StringUtils.isBlank(origin) ? "*" : origin);
-		response.addHeader(Access_Control_Allow_Methods, Access_Control_Allow_Methods_Value);
-		response.addHeader(Access_Control_Allow_Headers,
-				Access_Control_Allow_Headers_Value + ", " + Config.person().getTokenName());
-		response.addHeader(Access_Control_Allow_Credentials, "true");
-		response.setHeader(Access_Control_Expose_Headers, "c-token" + ", " + Config.person().getTokenName());
-		response.setHeader(Access_Control_Max_Age, Access_Control_Max_Age_Value);
+		if (StringUtils.isNotBlank(Config.general().getAccessControlAllowOrigin())) {
+			response.addHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, Config.general().getAccessControlAllowOrigin());
+		} else {
+			String origin = request.getHeader(HttpHeaders.ORIGIN);
+			if (StringUtils.isNotBlank(origin)) {
+				response.addHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
+			}
+		}
+		response.addHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, ACCESS_CONTROL_ALLOW_METHODS_VALUE);
+		response.addHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS,
+				ACCESS_CONTROL_ALLOW_HEADERS_VALUE + ", " + Config.person().getTokenName());
+		response.addHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
+		response.setHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS,
+				"c-token" + ", " + Config.person().getTokenName());
+		response.setHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE, ACCESS_CONTROL_MAX_AGE_VALUE);
 	}
 
 	public static final String Application_Not_Initialized_Json = "{\"type\": \"error\", \"message\": \"application not initialized.\"}";

o2server/x_base_core_project/src/main/java/com/x/base/core/project/http/HttpToken.java

@@ -27,17 +27,20 @@ public class HttpToken {
 
 	private static final Logger logger = LoggerFactory.getLogger(HttpToken.class);
 
-	public static final String X_Authorization = "authorization";
-	public static final String X_Person = "x-person";
+	public static final String X_AUTHORIZATION = "authorization";
+	public static final String X_PERSON = "x-person";
 	public static final String X_DISTINGUISHEDNAME = "x-distinguishedName";
 	public static final String X_REQUESTBODY = "x-requestBody";
-	public static final String X_Client = "x-client";
-	public static final String X_Debugger = "x-debugger";
+	public static final String X_CLIENT = "x-client";
+	public static final String X_DEBUGGER = "x-debugger";
 	public static final String COOKIE_ANONYMOUS_VALUE = "anonymous";
 	public static final String SET_COOKIE = "Set-Cookie";
 
-	private static final String RegularExpression_IP = "([1-9]|[1-9]\\d|1\\d{2}|2[0-4]\\d|25[0-5])(\\.(\\d|[1-9]\\d|1\\d{2}|2[0-4]\\d|25[0-5])){3}";
-	private static final String RegularExpression_Token = "^(anonymous|user|manager|cipher|systemManager|securityManager|auditManager)([2][0][1-9][0-9][0-1][0-9][0-3][0-9][0-5][0-9][0-5][0-9][0-5][0-9])(\\S{1,})$";
+	private static final String REGULAREXPRESSION_IP = "([1-9]|[1-9]\\d|1\\d{2}|2[0-4]\\d|25[0-5])(\\.(\\d|[1-9]\\d|1\\d{2}|2[0-4]\\d|25[0-5])){3}";
+	private static final String REGULAREXPRESSION_TOKEN = "^(anonymous|user|manager|cipher|systemManager|securityManager|auditManager)([2][0][1-9][0-9][0-1][0-9][0-3][0-9][0-5][0-9][0-5][0-9][0-5][0-9])(\\S{1,})$";
+
+	private static final String COOKIE_PART_MIDDLE = "; path=/; domain=";
+	private static final String COOKIE_PART_HTTPONLY = "; HttpOnly";
 
 	public EffectivePerson who(HttpServletRequest request, HttpServletResponse response, String key) throws Exception {
 		EffectivePerson effectivePerson = this.who(this.getToken(request), key, remoteAddress(request));
@@ -45,7 +48,7 @@ public class HttpToken {
 		effectivePerson.setUserAgent(this.userAgent(request));
 		effectivePerson.setUri(request.getRequestURI());
 		// 加入调试标记
-		Object debugger = request.getHeader(HttpToken.X_Debugger);
+		Object debugger = request.getHeader(HttpToken.X_DEBUGGER);
 		effectivePerson.setDebugger((null != debugger) && BooleanUtils.toBoolean(Objects.toString(debugger)));
 		// this.setAttribute(request, effectivePerson);
 		setToken(request, response, effectivePerson);
@@ -65,7 +68,7 @@ public class HttpToken {
 				logger.warn("can not decrypt token:{}, {}, remote address:{}.", token, e.getMessage(), address);
 				return EffectivePerson.anonymous();
 			}
-			Pattern pattern = Pattern.compile(RegularExpression_Token, Pattern.CASE_INSENSITIVE);
+			Pattern pattern = Pattern.compile(REGULAREXPRESSION_TOKEN, Pattern.CASE_INSENSITIVE);
 			Matcher matcher = pattern.matcher(plain);
 			if (!matcher.find()) {
 				// 不报错,跳过错误,将用户设置为anonymous
@@ -113,13 +116,13 @@ public class HttpToken {
 		try {
 			// String cookie = X_Token + "=; path=/; domain=" +
 			// this.domain(request) + "; max-age=0
-			String cookie = Config.person().getTokenName() + "=" + COOKIE_ANONYMOUS_VALUE + "; path=/; domain="
+			String cookie = Config.person().getTokenName() + "=" + COOKIE_ANONYMOUS_VALUE + COOKIE_PART_MIDDLE
 					+ this.domain(request)
-					+ (BooleanUtils.isTrue(Config.person().getTokenCookieHttpOnly()) ? "; HttpOnly" : "");
+					+ (BooleanUtils.isTrue(Config.person().getTokenCookieHttpOnly()) ? COOKIE_PART_HTTPONLY : "");
 			response.setHeader(SET_COOKIE, cookie);
 			response.setHeader(Config.person().getTokenName(), COOKIE_ANONYMOUS_VALUE);
 		} catch (Exception e) {
-			throw new Exception("delete Token cookie error.", e);
+			throw new IllegalAccessException("delete Token cookie error.");
 		}
 	}
 
@@ -156,9 +159,9 @@ public class HttpToken {
 	private void setResponseToken(HttpServletRequest request, HttpServletResponse response,
 			EffectivePerson effectivePerson) throws Exception {
 		if (!StringUtils.isEmpty(effectivePerson.getToken())) {
-			String cookie = Config.person().getTokenName() + "=" + effectivePerson.getToken() + "; path=/; domain="
+			String cookie = Config.person().getTokenName() + "=" + effectivePerson.getToken() + COOKIE_PART_MIDDLE
 					+ this.domain(request)
-					+ (BooleanUtils.isTrue(Config.person().getTokenCookieHttpOnly()) ? "; HttpOnly" : "");
+					+ (BooleanUtils.isTrue(Config.person().getTokenCookieHttpOnly()) ? COOKIE_PART_HTTPONLY : "");
 			response.setHeader(SET_COOKIE, cookie);
 			response.setHeader(Config.person().getTokenName(), effectivePerson.getToken());
 		}
@@ -167,8 +170,8 @@ public class HttpToken {
 	public void setResponseToken(HttpServletRequest request, HttpServletResponse response, String tokenName,
 			String token) throws Exception {
 		if (!StringUtils.isEmpty(token)) {
-			String cookie = tokenName + "=" + token + "; path=/; domain=" + this.domain(request)
-					+ (BooleanUtils.isTrue(Config.person().getTokenCookieHttpOnly()) ? "; HttpOnly" : "");
+			String cookie = tokenName + "=" + token + COOKIE_PART_MIDDLE + this.domain(request)
+					+ (BooleanUtils.isTrue(Config.person().getTokenCookieHttpOnly()) ? COOKIE_PART_HTTPONLY : "");
 			response.setHeader(SET_COOKIE, cookie);
 			response.setHeader(tokenName, token);
 		}
@@ -177,37 +180,37 @@ public class HttpToken {
 	public String getToken(HttpServletRequest request) throws Exception {
 		String token = null;
 		token = URLTools.getQueryStringParameter(request.getQueryString(), Config.person().getTokenName());
-		if (StringUtils.isEmpty(token)) {
-			if (null != request.getCookies()) {
-				for (Cookie c : request.getCookies()) {
-					if (StringUtils.equals(Config.person().getTokenName(), c.getName())) {
-						token = c.getValue();
-						break;
-					}
+		if (StringUtils.isEmpty(token) && (null != request.getCookies())) {
+			for (Cookie c : request.getCookies()) {
+				if (StringUtils.equals(Config.person().getTokenName(), c.getName())) {
+					token = c.getValue();
+					break;
 				}
 			}
 		}
 		if (StringUtils.isEmpty(token) || COOKIE_ANONYMOUS_VALUE.equals(token)) {
 			token = request.getHeader(Config.person().getTokenName());
 		}
+
+//		if (BooleanUtils.isTrue(Config.token().getCsrfProtectionEnable()) && (!StringUtils
+//				.equals(Objects.toString(token, ""), Objects.toString(request.getHeader(X_AUTHORIZATION), "")))) {
+//			throw new IllegalAccessException("CSFT protection denied.");
+//		}
+
 		if (StringUtils.isEmpty(token)) {
+			String value = request.getHeader(X_AUTHORIZATION);
 			// 如果使用oauth bearer 通过此传递认证信息.需要进行判断,格式为 Bearer xxxxxxx
-			String value = request.getHeader(X_Authorization);
 			if (!StringUtils.contains(value, " ")) {
 				token = value;
 			}
 		}
-		// 此代码将导致input被关闭.
-		// if (StringUtils.isEmpty(token)) {
-		// token = request.getParameter(X_Token);
-		// }
 		return token;
 	}
 
-	private String domain(HttpServletRequest request) throws Exception {
+	private String domain(HttpServletRequest request) {
 		String str = request.getServerName();
 		if (StringUtils.contains(str, ".")) {
-			Pattern pattern = Pattern.compile(RegularExpression_IP);
+			Pattern pattern = Pattern.compile(REGULAREXPRESSION_IP);
 			Matcher matcher = pattern.matcher(str);
 			if (!matcher.find()) {
 				if (StringUtils.equalsIgnoreCase(DomainTools.getMainDomain(str), str)) {
@@ -221,7 +224,7 @@ public class HttpToken {
 	}
 
 	private void setAttribute(HttpServletRequest request, EffectivePerson effectivePerson) {
-		request.setAttribute(X_Person, effectivePerson);
+		request.setAttribute(X_PERSON, effectivePerson);
 		request.setAttribute(X_DISTINGUISHEDNAME, effectivePerson.getDistinguishedName());
 	}
 

o2server/x_base_core_project/src/main/java/com/x/base/core/project/jaxrs/AbstractJaxrsAction.java

@@ -46,7 +46,7 @@ abstract class AbstractJaxrsAction {
 	}
 
 	protected EffectivePerson effectivePerson(HttpServletRequest request) {
-		Object o = request.getAttribute(HttpToken.X_Person);
+		Object o = request.getAttribute(HttpToken.X_PERSON);
 		if (null != o) {
 			return (EffectivePerson) o;
 		} else {

o2server/x_base_core_project/src/main/java/com/x/base/core/project/jaxrs/AnonymousCipherManagerUserJaxrsFilter.java

@@ -10,6 +10,9 @@ import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang3.StringUtils;
+
+import com.google.common.net.HttpHeaders;
 import com.x.base.core.project.config.Config;
 import com.x.base.core.project.http.FilterTools;
 import com.x.base.core.project.http.HttpToken;
@@ -24,13 +27,14 @@ public abstract class AnonymousCipherManagerUserJaxrsFilter extends TokenFilter
 		try {
 			HttpServletRequest request = (HttpServletRequest) req;
 			HttpServletResponse response = (HttpServletResponse) res;
+			httpRequestCheck(request);
 			FilterTools.allow(request, response);
 			if (!request.getMethod().equalsIgnoreCase("options")) {
 				HttpToken httpToken = new HttpToken();
 				httpToken.who(request, response, Config.token().getCipher());
 				chain.doFilter(request, response);
 			} else {
-				options(request,response);
+				options(request, response);
 			}
 		} catch (Exception e) {
 			e.printStackTrace();

o2server/x_base_core_project/src/main/java/com/x/base/core/project/jaxrs/AnonymousJaxrsFilter.java

@@ -26,6 +26,7 @@ public abstract class AnonymousJaxrsFilter extends TokenFilter {
 		try {
 			HttpServletRequest request = (HttpServletRequest) req;
 			HttpServletResponse response = (HttpServletResponse) res;
+			httpRequestCheck(request);
 			FilterTools.allow(request, response);
 			if (!request.getMethod().equalsIgnoreCase("options")) {
 				HttpToken httpToken = new HttpToken();

o2server/x_base_core_project/src/main/java/com/x/base/core/project/jaxrs/CipherJaxrsFilter.java

@@ -31,31 +31,34 @@ public abstract class CipherJaxrsFilter extends TokenFilter {
 		try {
 			HttpServletRequest request = (HttpServletRequest) req;
 			HttpServletResponse response = (HttpServletResponse) res;
+			httpRequestCheck(request);
 			FilterTools.allow(request, response);
 			if (!request.getMethod().equalsIgnoreCase("options")) {
 				HttpToken httpToken = new HttpToken();
 				EffectivePerson effectivePerson = httpToken.who(request, response, Config.token().getCipher());
 				if (TokenType.anonymous.equals(effectivePerson.getTokenType())) {
-					/** 401 Unauthorized 未登录访问被拒绝 */
+					// 401 Unauthorized 未登录访问被拒绝
 					response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
 					response.setHeader("Content-Type", "application/json;charset=UTF-8");
-					ActionResult result = new ActionResult();
+					ActionResult<?> result = new ActionResult<>();
 					ExceptionUnauthorized e = new ExceptionUnauthorized();
 					result.error(e);
-					String message = e.getFormatMessage(result.getPrompt(), request.getHeader(ResponseFactory.Accept_Language));
-					if(StringUtils.isNotBlank(message)) {
+					String message = e.getFormatMessage(result.getPrompt(),
+							request.getHeader(ResponseFactory.Accept_Language));
+					if (StringUtils.isNotBlank(message)) {
 						result.setMessage(message);
 					}
 					response.getWriter().write(result.toJson());
 				} else if (!TokenType.cipher.equals(effectivePerson.getTokenType())) {
-					/** 需要自己标志500 */
+					// 需要自己标志500
 					response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
 					response.setHeader("Content-Type", "application/json;charset=UTF-8");
-					ActionResult result = new ActionResult();
+					ActionResult<?> result = new ActionResult<>();
 					ExceptionAccessDenied e = new ExceptionAccessDenied(effectivePerson);
 					result.error(e);
-					String message = e.getFormatMessage(result.getPrompt(), request.getHeader(ResponseFactory.Accept_Language));
-					if(StringUtils.isNotBlank(message)) {
+					String message = e.getFormatMessage(result.getPrompt(),
+							request.getHeader(ResponseFactory.Accept_Language));
+					if (StringUtils.isNotBlank(message)) {
 						result.setMessage(message);
 					}
 					response.getWriter().write(result.toJson());
@@ -63,7 +66,7 @@ public abstract class CipherJaxrsFilter extends TokenFilter {
 					chain.doFilter(request, response);
 				}
 			} else {
-				options(request,response);
+				options(request, response);
 			}
 		} catch (Exception e) {
 			e.printStackTrace();

o2server/x_base_core_project/src/main/java/com/x/base/core/project/jaxrs/CipherManagerJaxrsFilter.java

@@ -31,6 +31,7 @@ public abstract class CipherManagerJaxrsFilter extends TokenFilter {
 		try {
 			HttpServletRequest request = (HttpServletRequest) req;
 			HttpServletResponse response = (HttpServletResponse) res;
+			httpRequestCheck(request);
 			FilterTools.allow(request, response);
 			if (!request.getMethod().equalsIgnoreCase("options")) {
 				HttpToken httpToken = new HttpToken();

o2server/x_base_core_project/src/main/java/com/x/base/core/project/jaxrs/CipherManagerUserJaxrsFilter.java

@@ -30,6 +30,7 @@ public abstract class CipherManagerUserJaxrsFilter extends TokenFilter {
 		try {
 			HttpServletRequest request = (HttpServletRequest) req;
 			HttpServletResponse response = (HttpServletResponse) res;
+			httpRequestCheck(request);
 			FilterTools.allow(request, response);
 			if (!request.getMethod().equalsIgnoreCase("options")) {
 				HttpToken httpToken = new HttpToken();

o2server/x_base_core_project/src/main/java/com/x/base/core/project/jaxrs/ManagerUserJaxrsFilter.java

@@ -30,6 +30,7 @@ public abstract class ManagerUserJaxrsFilter extends TokenFilter {
 		try {
 			HttpServletRequest request = (HttpServletRequest) req;
 			HttpServletResponse response = (HttpServletResponse) res;
+			httpRequestCheck(request);
 			FilterTools.allow(request, response);
 			if (!request.getMethod().equalsIgnoreCase("options")) {
 				HttpToken httpToken = new HttpToken();

o2server/x_base_core_project/src/main/java/com/x/base/core/project/jaxrs/TokenFilter.java

 package com.x.base.core.project.jaxrs;
 
+import java.util.Objects;
+import java.util.Optional;
+import java.util.regex.Pattern;
+
 import javax.servlet.Filter;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang3.StringUtils;
+
+import com.google.common.net.HttpHeaders;
+import com.x.base.core.project.config.Config;
+
 public abstract class TokenFilter implements Filter {
 
+	private static Optional<Pattern> refererPattern;
+
 	protected void options(HttpServletRequest request, HttpServletResponse response) {
 		response.setStatus(204);
 	}
+
+	private static Optional<Pattern> getRefererPattern() {
+		try {
+			if (Objects.isNull(refererPattern)) {
+				synchronized (TokenFilter.class) {
+					if (StringUtils.isNotBlank(Config.general().getRefererHeadCheckRegular())) {
+						refererPattern = Optional.of(Pattern.compile(Config.general().getRefererHeadCheckRegular()));
+					} else {
+						refererPattern = Optional.empty();
+					}
+				}
+			}
+		} catch (Exception e) {
+			e.printStackTrace();
+		}
+		return refererPattern;
+	}
+
+	protected void httpRequestCheck(HttpServletRequest request) throws IllegalAccessException {
+		if (getRefererPattern().isPresent()) {
+			String referer = request.getHeader(HttpHeaders.REFERER);
+			if (StringUtils.isNotBlank(referer) && (!getRefererPattern().get().matcher(referer).find())) {
+				throw new IllegalAccessException("illegal http request.");
+			}
+		}
+	}
 }

o2server/x_base_core_project/src/main/java/com/x/base/core/project/jaxrs/UserJaxrsFilter.java

@@ -31,6 +31,7 @@ public abstract class UserJaxrsFilter extends TokenFilter {
 		try {
 			HttpServletRequest request = (HttpServletRequest) req;
 			HttpServletResponse response = (HttpServletResponse) res;
+			httpRequestCheck(request);
 			FilterTools.allow(request, response);
 			if (!request.getMethod().equalsIgnoreCase("options")) {
 				HttpToken httpToken = new HttpToken();

o2server/x_console/src/main/java/com/x/server/console/server/application/ApplicationServerTools.java

@@ -30,7 +30,6 @@ import org.apache.commons.io.filefilter.WildcardFileFilter;
 import org.apache.commons.lang3.BooleanUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.math.NumberUtils;
-import org.apache.commons.vfs2.util.DelegatingFileSystemOptionsBuilder;
 import org.eclipse.jetty.quickstart.QuickStartWebApp;
 import org.eclipse.jetty.server.AsyncRequestLogWriter;
 import org.eclipse.jetty.server.RequestLog;
@@ -242,18 +241,18 @@ public class ApplicationServerTools extends JettySeverTools {
 		});
 	}
 
-	private static void setExposeJest(ApplicationServer applicationServer, QuickStartWebApp webApp) {
-		if (BooleanUtils.isFalse(applicationServer.getExposeJest())) {
+	private static void setExposeJest(ApplicationServer applicationServer, QuickStartWebApp webApp) throws Exception {
+		if (BooleanUtils.isFalse(Config.general().getExposeJest())) {
 			FilterHolder denialOfServiceFilterHolder = new FilterHolder(new DenialOfServiceFilter());
 			webApp.addFilter(denialOfServiceFilterHolder, "/jest/*", EnumSet.of(DispatcherType.REQUEST));
 			webApp.addFilter(denialOfServiceFilterHolder, "/describe/sources/*", EnumSet.of(DispatcherType.REQUEST));
 		}
 	}
 
-	private static void setStat(ApplicationServer applicationServer, QuickStartWebApp webApp) {
-		if (BooleanUtils.isTrue(applicationServer.getStatEnable())) {
+	private static void setStat(ApplicationServer applicationServer, QuickStartWebApp webApp) throws Exception {
+		if (BooleanUtils.isTrue(Config.general().getStatEnable())) {
 			FilterHolder statFilterHolder = new FilterHolder(new WebStatFilter());
-			statFilterHolder.setInitParameter("exclusions", applicationServer.getStatExclusions());
+			statFilterHolder.setInitParameter("exclusions", Config.general().getStatExclusions());
 			webApp.addFilter(statFilterHolder, "/*", EnumSet.of(DispatcherType.REQUEST));
 			ServletHolder statServletHolder = new ServletHolder(StatViewServlet.class);
 			statServletHolder.setInitParameter("sessionStatEnable", BooleanUtils.toStringTrueFalse(false));

o2server/x_console/src/main/java/com/x/server/console/server/center/CenterServerTools.java

@@ -140,10 +140,10 @@ public class CenterServerTools extends JettySeverTools {
 		return webApp;
 	}
 
-	private static void setStat(CenterServer centerServer, QuickStartWebApp webApp) {
-		if (BooleanUtils.isTrue(centerServer.getStatEnable())) {
+	private static void setStat(CenterServer centerServer, QuickStartWebApp webApp) throws Exception {
+		if (BooleanUtils.isTrue(Config.general().getStatEnable())) {
 			FilterHolder statFilterHolder = new FilterHolder(new WebStatFilter());
-			statFilterHolder.setInitParameter("exclusions", centerServer.getStatExclusions());
+			statFilterHolder.setInitParameter("exclusions", Config.general().getStatExclusions());
 			webApp.addFilter(statFilterHolder, "/*", EnumSet.of(DispatcherType.REQUEST));
 			ServletHolder statServletHolder = new ServletHolder(StatViewServlet.class);
 			statServletHolder.setInitParameter("sessionStatEnable", "false");
@@ -151,8 +151,8 @@ public class CenterServerTools extends JettySeverTools {
 		}
 	}
 
-	private static void setExposeJest(CenterServer centerServer, QuickStartWebApp webApp) {
-		if (BooleanUtils.isFalse(centerServer.getExposeJest())) {
+	private static void setExposeJest(CenterServer centerServer, QuickStartWebApp webApp) throws Exception {
+		if (BooleanUtils.isFalse(Config.general().getExposeJest())) {
 			FilterHolder denialOfServiceFilterHolder = new FilterHolder(new DenialOfServiceFilter());
 			webApp.addFilter(denialOfServiceFilterHolder, "/jest/*", EnumSet.of(DispatcherType.REQUEST));
 			webApp.addFilter(denialOfServiceFilterHolder, "/describe/sources/*", EnumSet.of(DispatcherType.REQUEST));

o2server/x_console/src/main/java/com/x/server/console/server/web/WebServerTools.java

@@ -128,7 +128,7 @@ public class WebServerTools extends JettySeverTools {
 		return server;
 	}
 
-	private static WebAppContext webContext(WebServer webServer) throws IOException, URISyntaxException {
+	private static WebAppContext webContext(WebServer webServer) throws Exception {
 		WebAppContext context = new WebAppContext();
 		context.setContextPath("/");
 		context.setBaseResource(Resource.newResource(new File(Config.base(), "servers/webServer")));
@@ -143,9 +143,9 @@ public class WebServerTools extends JettySeverTools {
 		context.setGzipHandler(new GzipHandler());
 		context.setParentLoaderPriority(true);
 		context.getMimeTypes().addMimeMapping("wcss", "application/json");
-		if (BooleanUtils.isTrue(webServer.getStatEnable())) {
+		if (BooleanUtils.isTrue(Config.general().getStatEnable())) {
 			FilterHolder statFilterHolder = new FilterHolder(new WebStatFilter());
-			statFilterHolder.setInitParameter("exclusions", webServer.getStatExclusions());
+			statFilterHolder.setInitParameter("exclusions", Config.general().getStatExclusions());
 			context.addFilter(statFilterHolder, "/*", EnumSet.of(DispatcherType.REQUEST));
 			ServletHolder statServletHolder = new ServletHolder(StatViewServlet.class);
 			statServletHolder.setInitParameter("sessionStatEnable", "false");

o2server/x_message_assemble_communicate/src/main/java/com/x/message/assemble/communicate/ws/collaboration/ActionCollaboration.java

@@ -42,7 +42,7 @@ public class ActionCollaboration {
 
 	@OnOpen
 	public void open(Session session) {
-		EffectivePerson effectivePerson = (EffectivePerson) session.getUserProperties().get(HttpToken.X_Person);
+		EffectivePerson effectivePerson = (EffectivePerson) session.getUserProperties().get(HttpToken.X_PERSON);
 
 		LOGGER.debug("OnOpen: tokenType:{}, distinguishedName:{}.", effectivePerson::getTokenType,
 				effectivePerson::getDistinguishedName);
@@ -79,7 +79,7 @@ public class ActionCollaboration {
 
 	@OnMessage
 	public void message(String input, Session session) throws IOException {
-		EffectivePerson effectivePerson = (EffectivePerson) session.getUserProperties().get(HttpToken.X_Person);
+		EffectivePerson effectivePerson = (EffectivePerson) session.getUserProperties().get(HttpToken.X_PERSON);
 		LOGGER.debug("OnMessage receive: message {}, person:{}, ip:{}, client:{} .", () -> input,
 				effectivePerson::getDistinguishedName, effectivePerson::getRemoteAddress,
 				effectivePerson::getUserAgent);

o2server/x_message_assemble_communicate/src/main/java/com/x/message/assemble/communicate/ws/collaboration/WsConfigurator.java

@@ -19,7 +19,7 @@ public class WsConfigurator extends ServerEndpointConfig.Configurator {
 	public void modifyHandshake(ServerEndpointConfig config, HandshakeRequest request, HandshakeResponse response) {
 		try {
 			EffectivePerson effectivePerson = this.getEffectivePerson(request);
-			config.getUserProperties().put(HttpToken.X_Person, effectivePerson);
+			config.getUserProperties().put(HttpToken.X_PERSON, effectivePerson);
 		} catch (Exception e) {
 			e.printStackTrace();
 		}

o2server/x_organization_assemble_authentication/src/main/java/com/x/organization/assemble/authentication/jaxrs/authentication/ActionWho.java

@@ -55,7 +55,7 @@ class ActionWho extends BaseAction {
 				} else {
 					Person person = this.getPerson(business, effectivePerson);
 					wo = this.user(null, null, business, person, Wo.class);
-					this.recordLogin(person.getName(), request.getRemoteAddr(), request.getHeader(HttpToken.X_Client));
+					this.recordLogin(person.getName(), request.getRemoteAddr(), request.getHeader(HttpToken.X_CLIENT));
 				}
 				wo.setTokenType(TokenType.manager);
 				wo.setToken(effectivePerson.getToken());
@@ -68,7 +68,7 @@ class ActionWho extends BaseAction {
 				} else {
 					Person person = this.getPerson(business, effectivePerson);
 					wo = this.user(null, null, business, person, Wo.class);
-					this.recordLogin(person.getName(), request.getRemoteAddr(), request.getHeader(HttpToken.X_Client));
+					this.recordLogin(person.getName(), request.getRemoteAddr(), request.getHeader(HttpToken.X_CLIENT));
 				}
 				wo.setTokenType(effectivePerson.getTokenType());
 				wo.setToken(effectivePerson.getToken());
@@ -76,7 +76,7 @@ class ActionWho extends BaseAction {
 			case user:
 				Person person = this.getPerson(business, effectivePerson);
 				wo = this.user(null, null, business, person, Wo.class);
-				this.recordLogin(person.getName(), request.getRemoteAddr(), request.getHeader(HttpToken.X_Client));
+				this.recordLogin(person.getName(), request.getRemoteAddr(), request.getHeader(HttpToken.X_CLIENT));
 				break;
 			default:
 				break;

o2server/x_organization_assemble_authentication/src/main/java/com/x/organization/assemble/authentication/jaxrs/oauth/ActionInfo.java

@@ -50,7 +50,7 @@ class ActionInfo extends BaseAction {
 			ActionResult<Wo> result = new ActionResult<>();
 			Business business = new Business(emc);
 			if (StringUtils.isEmpty(accessToken)) {
-				String bearer = request.getHeader(HttpToken.X_Authorization);
+				String bearer = request.getHeader(HttpToken.X_AUTHORIZATION);
 				if (StringUtils.isNotEmpty(bearer)) {
 					accessToken = StringUtils.substringAfter(bearer, " ");
 				}