加入过滤器,防跨站点请求伪造

--------------------------Config----------------

@Configuration
public class XssConfig{

@Value("${cofigFilter}")
    private String cofigFilter;
@Bean
    public FilterRegistrationBean xssFilterRegistrationBean1() {
        FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
        filterRegistrationBean.setFilter(new LoginFilter());
        filterRegistrationBean.setOrder(2);
        filterRegistrationBean.setEnabled(true);
        filterRegistrationBean.addUrlPatterns("/login");
        Map<String, String> initParameters = Maps.newHashMap();
        initParameters.put("cofigFilter", cofigFilter);
        filterRegistrationBean.setInitParameters(initParameters);
        return filterRegistrationBean;
    }

---------------------------LoginFilter------------

 

import java.io.IOException;


import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;


import org.apache.commons.configuration.Configuration;
import org.apache.commons.configuration.ConfigurationException;
import org.apache.commons.configuration.PropertiesConfiguration;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;


import com.yunda.base.common.utils.BDException;


/**
 * 防跨站点请求伪造
 */
public class LoginFilter implements Filter {


/**
* logger
*/
private static Logger LOGGER = LoggerFactory.getLogger(LoginFilter.class);
/**
* 域名信息
*/
private String cofigFilter;


@Override
public void doFilter(ServletRequest servletRequest,
ServletResponse servletResponse, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
String referer = request.getHeader("Referer");
String rquestUri = request.getRequestURI();
//登录刷新session
if ("/bootdo/login".equals(rquestUri) && request.getCookies() != null) {
request.getSession().invalidate();// 清空session
for (Cookie cookie : request.getCookies()) {
cookie.setMaxAge(0);// 让cookie过期
Cookie oItem;
oItem = new Cookie(cookie.getName(), cookie.getValue());
if (null != cookie.getDomain()) {// 请用自己的域
oItem.setDomain(cookie.getDomain());
} else {
oItem.setDomain(request.getServerName());
}
oItem.setMaxAge(0); // 失效cookie
if (null != cookie.getPath()) {
oItem.setPath(cookie.getPath());
} else {
oItem.setPath("/");
}
((HttpServletResponse) response).addCookie(oItem);
}
}
if (rquestUri.contains(".css") || rquestUri.contains(".js")
|| rquestUri.contains(".png") || rquestUri.contains(".html")
|| rquestUri.contains(".jpg")) {
// 如果发现是css或者js文件,直接放行

chain.doFilter(request, response);
return;
}
if (referer == null) {

chain.doFilter(request, response);
return;
}
if (referer != null && referer.startsWith(cofigFilter)) {

chain.doFilter(request, response);
} else {

request.getRequestDispatcher("/403").forward(request, response);
}
}


public String description() {
// TODO Auto-generated method stub
return null;
}


@Override
public void destroy() {
// TODO Auto-generated method stub


}


@Override
public void init(FilterConfig filterConfig) throws ServletException {
if(LOGGER.isDebugEnabled()){
LOGGER.debug("LOGIN filter init~~~~~~~~~~~~");
}
String cofigFilter1 = filterConfig.getInitParameter("cofigFilter");
if(StringUtils.isNotBlank(cofigFilter1)){
cofigFilter = cofigFilter1;
}


}
}

 

然后再你的配置文件中定义好cofigFilter站点信息

阅读更多
个人分类: 基础知识
想对作者说点什么? 我来说一句

没有更多推荐了,返回首页

关闭
关闭
关闭