package com.github.elizabetht.controller; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.springframework.web.servlet.HandlerInterceptor; import org.springframework.web.servlet.ModelAndView; public class CsrfIntercepter implements HandlerInterceptor { public static final String CSRFNUMBER = "csrftoken"; public boolean preHandle(HttpServletRequest request,HttpServletResponse response, Object handler) throws Exception { String keyFromRequestParam = (String) request.getParameter(CSRFNUMBER); String keyFromCookies=""; boolean result=false; Cookie[] cookies = request.getCookies(); if(cookies!=null){ for (int i = 0; i < cookies.length; i++) { String name = cookies[i].getName(); if(CSRFNUMBER.equals(name) ) { keyFromCookies= cookies[i].getValue(); } } } if((keyFromRequestParam!=null && keyFromRequestParam.length()>0 && keyFromRequestParam.equals(keyFromCookies) && keyFromRequestParam.equals((String)request.getSession().getAttribute(CSRFNUMBER)))) { result=true; }else{ request.getRequestDispatcher("/error/400").forward(request, response); } return result; } public void afterCompletion(HttpServletRequest arg0, HttpServletResponse arg1, Object arg2, Exception arg3) throws Exception { } public void postHandle(HttpServletRequest arg0, HttpServletResponse arg1, Object arg2, ModelAndView arg3) throws Exception { }
java网页程序采用 spring 防止 csrf 攻击.
最新推荐文章于 2024-04-04 17:39:33 发布