HTTP Referer是header的一部分,当浏览器向web服务器发送请求的时候,会带上Referer,通过验证Referer,可以判断请求的合法性,如果Referer是其他网站的话,就有可能是CSRF攻击,则拒绝该请求。
/** * @author Cheng.Wei * @ClassName ReferrerInterceptor * @Description CSRF攻击处理 * @date 2017-08-04 14:11 */ public class ReferrerInterceptor implements HandlerInterceptor { static final Logger logger = LogManager.getLogger(ReferrerInterceptor.class); @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { String referrer = request.getHeader("referer"); logger.debug("referrer:{}",referrer); StringBuffer stringBuffer = new StringBuffer(); stringBuffer.append(request.getScheme()).append("://").append(request.getServerName()); logger.debug("basePath:{}",stringBuffer); if(referrer==null||referrer.equals("")||referrer.lastIndexOf(String.valueOf(stringBuffer))==0){ return true; } else{ return false; } } @Override public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception { } @Override public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception { } }