当没有预防跨站请求,输入任何Refer,都会是页面响应200。
![在这里插入图片描述](https://img-blog.csdnimg.cn/20210323224227193.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzI1MDY0Njkx,size_16,color_FFFFFF,t_70)
加入预防跨站请求,输入不正确的Refer,响应会是400.
![在这里插入图片描述](https://img-blog.csdnimg.cn/20210323224333989.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzI1MDY0Njkx,size_16,color_FFFFFF,t_70)
代码如下:
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@Configuration
public class WebConfig implements WebMvcConfigurer {
@Autowired
public RefererInterceptor refererInterceptor() {
return new RefererInterceptor();
}
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(refererInterceptor());
}
}
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.net.MalformedURLException;
import java.util.Arrays;
import java.util.List;
public class RefererInterceptor extends HandlerInterceptorAdapter {
private String[] refererDomain = new String[]{"127.0.0.1"};
private Boolean check =true;
@Override
public boolean preHandle(HttpServletRequest req, HttpServletResponse resp, Object handler) throws Exception {
if (!check) {
return true;
}
String referer = req.getHeader("Referer");
String host = req.getServerName();
if (!"GET".equals(req.getMethod())) {
if (referer == null) {
resp.setStatus(HttpServletResponse.SC_BAD_REQUEST);
return false;
}
java.net.URL url = null;
try {
url = new java.net.URL(referer);
} catch (MalformedURLException e) {
resp.setStatus(HttpServletResponse.SC_BAD_REQUEST);
return false;
}
System.err.println(url.getHost());
System.err.println(host);
if (refererDomain != null) {
for (String s : refererDomain) {
if (s.equals(url.getHost())) {
System.err.println(url.getHost());
return true;
}
}
}
resp.setStatus(HttpServletResponse.SC_BAD_REQUEST);
return false;
}
return true;
}
}