一、介绍
在实际开发中,经常会使用Referer头字段,例如,一些站点为了吸引人气并且提高站点访问量,提供了各种软件的下载页面,但是它们本身没有这些资源,只是将下载的超链接指向其它站点上的资源。而真正提供了下载资源的站点为了防止这种“盗链”,就需要检查请求来源,只接收本站链接发送的下载请求,阻止其它站点链接的下载请求。
二、创建DownManagerServlet
该类负责下载内容,要求下载请求(http://localhost:8088/javaweb-demo/DownManagerServlet)来自于本网站,否则请求转发给提供下载链接的download.html
public class DownManagerServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=utf-8");
PrintWriter out = response.getWriter();
// 获取referer头的值
String referer = request.getHeader("referer");
// 获取访问地址
String sitePart = "http://" + request.getServerName();
// 判断referer头是否为空,这个头的首地址是否以sitePart开始的
if (referer != null && referer.startsWith(sitePart)) {
// 处理正在下载的请求
out.println("dealing download ...");
} else {
// 非法下载请求跳转到download.html页面
//RequestDispatcher rd = request.getRequestDispatcher("/download.html");
//rd.forward(request, response);
//非法请求重定向到download.html页面
response.sendRedirect(request.getContextPath()+"/download.html");
}
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
}
三、download.html
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<a href="/javaweb-demo/DownManagerServlet">download</a>
</body>
</html>
四、运行
http://localhost:8088/javaweb-demo/download.html
说明下载请求不是来自本网站