springboot预防跨站请求CSRF Referer防盗链

当没有预防跨站请求，输入任何Refer，都会是页面响应200。

在这里插入图片描述

加入预防跨站请求，输入不正确的Refer，响应会是400.

在这里插入图片描述

代码如下：

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

/**
 * @ClassName WebConfig
 * @Description TODO
 * @Date 2021/3/20 21:58
 * @Version 1.0
 */
@Configuration
public class WebConfig implements WebMvcConfigurer {
    
    
    @Autowired
    public RefererInterceptor refererInterceptor() {
    
    
        return new RefererInterceptor();
    }
    /**
     * 注册拦截器
     */
    @Override
    public void addInterceptors(InterceptorRegistry registry) {
    
    
        //referer拦截
        registry.addInterceptor(refererInterceptor());
    }

}


/**
 * @ClassName RefererInterceptor
 * @Description TODO
 * @Date 2021/3/20 21:37
 * @Version 1.0
 */


import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.net.MalformedURLException;
import java.util.Arrays;
import java.util.List;

/**
 * Referer拦截器
 */
public class RefererInterceptor extends HandlerInterceptorAdapter {
    
    

    /**
     * 白名单
     */
    private String[] refererDomain = new String[]{
    
    "127.0.0.1"};
    /**
     * 是否开启referer校验
     */
    private Boolean check =true;


    @Override
    public boolean preHandle(HttpServletRequest req, HttpServletResponse resp, Object handler) throws Exception {
    
    
        if (!check) {
    
    
            return true;
        }
        String referer = req.getHeader("Referer");
        String host = req.getServerName();
        // 验证非get请求
        if (!"GET".equals(req.getMethod())) {
    
    
            if (referer == null) {
    
    
                // 状态置为404
                resp.setStatus(HttpServletResponse.SC_BAD_REQUEST);
                return false;
            }
            java.net.URL url = null;
            try {
    
    
                url = new java.net.URL(referer);
            } catch (MalformedURLException e) {
    
    
                // URL解析异常，也置为404
                resp.setStatus(HttpServletResponse.SC_BAD_REQUEST);
                return false;
            }
            System.err.println(url.getHost());
            System.err.println(host);
            // 首先判断请求域名和referer域名是否相同
//            if (!host.equals(url.getHost())) {
    
    
                // 如果不等，判断是否在白名单中
                if (refererDomain != null) {
    
    
                    for (String s : refererDomain) {
    
    
                        if (s.equals(url.getHost())) {
    
    
                            System.err.println(url.getHost());
                            return true;
                        }
                    }
                }
            resp.setStatus(HttpServletResponse.SC_BAD_REQUEST);
            return false;

//            }
        }
        return true;
    }

}

springboot预防跨站请求CSRF Referer防盗链

当没有预防跨站请求，输入任何Refer，都会是页面响应200。

加入预防跨站请求，输入不正确的Refer，响应会是400.

代码如下：

猜你喜欢