Cross-site request forgery
package com.cloudtech.web.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* * 跨站点请求伪造 CSRF攻击 *
*/
public class CSRFilter implements Filter {
private final Logger log = LoggerFactory.getLogger(getClass());
private String[] verifyReferer = null;
@Override
public void destroy() {
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
String referer = filterConfig.getInitParameter("referer");
this.verifyReferer = referer.split(",");
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
String referer = ((HttpServletRequest)request).getHeader("Referer");
boolean b = false;
for(String vReferer : verifyReferer){
if(referer==null || referer.trim().startsWith(vReferer)){
b = true;
chain.doFilter(request, response);
break;
}
}
if(!b){
log.error("疑似CSRF攻击,referer:"+referer);
}
}
}web.xml
<filter>
<filter-name>CSRFilter</filter-name>
<filter-class>com.cloudtech.web.filter.CSRFilter</filter-class>
<init-param>
<param-name>referer</param-name>
<param-value>http://localhost:8081,http://127.0.0.1:8081</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CSRFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>Into the corresponding server port and ip
