在这里不对HOST头攻击多做阐述,需要了解什么是HOST攻击请先自行百度。
本文做白名单方式对比host地址是否被篡改。
从而过滤拦截请求host地址是否存在白名单中,存在就正常访问,否则返回403。
1.serverWhiteList.json配置ip文件
[
"localhost:8443"
]
2.引入gson-2.8.5.jar包
3.读取白名单文件
/**
* HOST头白名单
* @version 1.0
*/
public class ServerWhiteListUtil {
private static List<String> whiteList = null;
static {
try {
// 读取白名单列表
whiteList = new Gson().fromJson(
new InputStreamReader(
ServerWhiteListUtil.class.getResourceAsStream("json/serverWhiteList.json")
),new TypeToken<List<String>>() {
}.getType());
} catch (Exception e) {
e.printStackTrace();
}
}
/** 判断当前host是否在白名单内
* @param host
* @return boolean 是否在白名单内
*/
public static boolean isWhite(String host) {
if (whiteList == null || whiteList.size() == 0) {
return true;
}
for (String str : whiteList) {
if (str != null && str.equals(host)) {
return true;
}
}
return false;
}
}
4.JAVA filter过滤器
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
// 头攻击检测
String requestHost = request.getHeader("host");
if (requestHost != null && !ServerWhiteListUtil.isWhite(requestHost)) {
response.setStatus(403);
response.sendError(403, "访问HOST地址不在白名单中,无法访问!");
return;
}else {
chain.doFilter(req, res);
}
}
5.配置web.xml
<filter>
<filter-name>HostCleanFilter</filter-name>
<filter-class>com.richwit.util.HostCleanFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>HostCleanFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>