参考: https://www.ibm.com/developerworks/cn/web/1102_niugang_csrf/
0 拦截每个页面并为其设置sessionToken cookie
1 需要特殊拦截验证(涉及数据更新保存)哪些页面 在web.xml 配置
2 在拦截器 拦截 ajax 提交的header 进行对比
web.xml 设置需要拦截验证的页面
<!-- xxxxxxFilter start -->
<filter>
<filter-name>xxxxxxFilter</filter-name>
<filter-class>xx.xxxxxx.xxxx.filters.xxxxFilter</filter-class>
<init-param>
<param-name>interceptList</param-name>
<param-value>/xxxxxxSave.htm,/xxxxxxxxSave.htm,/xxxxxSave.htm,/xxxxx.htm</param-value>
</init-param>
</filter>
<!-- xxxxxxFilter end -->
<!-- xxxxxxFilter URL start -->
<filter-mapping>
<filter-name>xxxxxxFilter</filter-name>
<url-pattern>*.htm</url-pattern>
</filter-mapping>
<!-- xxxxxxFilter URL -->
package xx.xxxx.xxxx.filters;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.UUID;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.stereotype.Component;
@Component
public class XxxxxFilterextends HttpServlet implements Filter {
/**
* CSRF Filter
*/
private static final long serialVersionUID = 5497744146730186671L;
private static final Logger log = LogManager.getLogger(RequestFilter.class);
privatestatic final StringCSRF_TOKEN ="csrftoken";
List<String> interceptList =new ArrayList<String>();
@Override
public void doFilter(ServletRequest arg0, ServletResponsearg1, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) arg0;
HttpServletResponse response = (HttpServletResponse) arg1;
HttpSession session =request.getSession();
String uri =request.getRequestURI();
// GET SESSION CSRFTOKEN
String sToken = (String)session.getAttribute(CSRF_TOKEN);
if (isIntercept(uri)) {
// 获取 ajax 提交的 header
String xhrToken =request.getHeader(CSRF_TOKEN);
if (sToken ==null || xhrToken ==null || !sToken.equals(xhrToken)) {
response.sendError(400);
log.info("Error Code 400 ");
return;
}
}
// CREATE NEW TOKEN INPUT SESSION
sToken = UUID.randomUUID().toString();
session.setAttribute(CSRF_TOKEN,sToken);
Cookie cookie =new Cookie(CSRF_TOKEN,sToken);
cookie.setMaxAge(-1);// BROWSER CLOSE COOKIE LOSE EFFICACY
response.addCookie(cookie);
chain.doFilter(request,response);
}
public void init(FilterConfig config) throws ServletException {
String strInterceptList =config.getInitParameter("interceptList");
if (strInterceptList !=null && strInterceptList.length() > 0) {
interceptList = Arrays.asList(strInterceptList.split(","));
} else {
interceptList =new ArrayList<String>();
}
}
private boolean isIntercept(String uri) {
return isContained(uri,interceptList);
}
private boolean isContained(String uri, List<String>listTmp) {
for (Stringtmp : listTmp) {
if (StringUtils.contains(uri,tmp)) {
returntrue;
}
}
returnfalse;
}
}
《写的不好 如果有好的方法请指点一二 谢谢 !!!》