解决方案:
增加一个过滤器,当请求头Referer中包含扫描里的http://bogus.referer.hcl.com时,禁止访问
/*******************************************************************************
* @(#)CSRFilter.java 2020/4/7
*
* Copyright 2020 emrubik Group Ltd. All rights reserved.
* EMRubik PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
*******************************************************************************/
package com.emrubik.emp.uc.portal.common.communicate;
import java.io.IOException;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* @author hongcq
* @version 1.0 $ 2020/4/7 13:03
*/
public class CsrFilter implements Filter {
/**
* log
*/
private Logger log = LoggerFactory.getLogger(CsrFilter.class);
/**
* referer
*/
private String[] verifyReferer = null;
/**
* Called by the web container to indicate to a filter that it is being placed into service.
*
* The servlet container calls the init method exactly once after instantiating the filter. The init
* method must complete successfully before the filter is asked to do any filtering work.
*
* The web container cannot place the filter into service if the init method either
*
*
Throws a ServletException*
Does not return within a time period defined by the web container*
*
* @param filterConfig
* filterConfig
*/
@Override
public void init(FilterConfig filterConfig) throws ServletException {
String referer = filterConfig.getInitParameter("referer");
this.verifyReferer = referer.split(",");
}
/**
* The doFilter
method of the Filter is called by the container each time a
* request/response pair is passed through the chain due to a client request for a resource at the
* end of the chain. The FilterChain passed in to this method allows the Filter to pass on the
* request and response to the next entity in the chain.
*
* A typical implementation of this method would follow the following pattern:
*
*
Examine the request*
Optionally wrap the request object with a custom implementation to filter content or headers* for input filtering
*
Optionally wrap the response object with a custom implementation to filter content or headers* for output filtering
*
*
*
Either invoke the next entity in the chain using the FilterChain object* (chain.doFilter()
),
*
or not pass on the request/response pair to the next entity in the filter* chain to block the request processing
*
*
Directly set headers on the response after invocation of the next entity in the filter chain.*
*
* @param request
* 请求
* @param response
* 响应
* @param chain
* 链
*/
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
String referer = ((HttpServletRequest) request).getHeader("Referer");
boolean b = false;
for (String vReferer : verifyReferer) {
if (null == referer || !referer.trim().equalsIgnoreCase(vReferer)) {
b = true;
chain.doFilter(request, response);
break;
}
}
if (!b) {
log.info("疑似遭到CSRF攻击,referer:" + referer);
}
}
/**
* Called by the web container to indicate to a filter that it is being taken out of service.
*
* This method is only called once all threads within the filter's doFilter method have exited or
* after a timeout period has passed. After the web container calls this method, it will not call
* the doFilter method again on this instance of the filter.
*
* This method gives the filter an opportunity to clean up any resources that are being held (for
* example, memory, file handles, threads) and make sure that any persistent state is synchronized
* with the filter's current state in memory.
*/
@Override
public void destroy() {
}
}
CsrFilter
com.emrubik.emp.uc.portal.common.communicate.CsrFilter
referer
http://bogus.referer.hcl.com
CsrFilter
/*
项目web.xml中增加如上配置
来源:oschina
链接:https://my.oschina.net/u/4170983/blog/3225278