当没有预防跨站请求,输入任何Refer,都会是页面响应200。
加入预防跨站请求,输入不正确的Refer,响应会是400.
代码如下:
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@Configuration
public class WebConfig implements WebMvcConfigurer {
@Autowired
public RefererInterceptor refererInterceptor() {
return new RefererInterceptor();
}
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(refererInterceptor());
}
}
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.net.MalformedURLException;
import java.util.Arrays;
import java.util.List;
public class RefererInterceptor extends HandlerInterceptorAdapter {
private String[] refererDomain = new String[]{
"127.0.0.1"};
private Boolean check =true;
@Override
public boolean preHandle(HttpServletRequest req, HttpServletResponse resp, Object handler) throws Exception {
if (!check) {
return true;
}
String referer = req.getHeader("Referer");
String host = req.getServerName();
if (!"GET".equals(req.getMethod())) {
if (referer == null) {
resp.setStatus(HttpServletResponse.SC_BAD_REQUEST);
return false;
}
java.net.URL url = null;
try {
url = new java.net.URL(referer);
} catch (MalformedURLException e) {
resp.setStatus(HttpServletResponse.SC_BAD_REQUEST);
return false;
}
System.err.println(url.getHost());
System.err.println(host);
if (refererDomain != null) {
for (String s : refererDomain) {
if (s.equals(url.getHost())) {
System.err.println(url.getHost());
return true;
}
}
}
resp.setStatus(HttpServletResponse.SC_BAD_REQUEST);
return false;
}
return true;
}
}