背景:项目进行了安全漏洞扫描,扫描中风险提示需要验证“Referer”头的值。
application-referer.yml配置可访问referer地址
application-referer:
refererDomain:
- http://42.228.55.222
- https://42.228.55.222
- http://59.207.61.21
加载application-referer.yml文件获取referer list
package com.kun.boot.adapter.properties;
import lombok.Data;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.List;
@Component
@Data
@ConfigurationProperties(prefix = "application-referer")
public class RefererProperties {
// 白名单域名
List<String> refererDomain = new ArrayList<>();
}
referer拦截器:
package com.kun.boot.adapter;
import com.kun.boot.adapter.properties.RefererProperties;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.net.MalformedURLException;
public class RefererInterceptor extends HandlerInterceptorAdapter {
@Autowired
private RefererProperties properties;
@Override
public boolean preHandle(HttpServletRequest req, HttpServletResponse resp, Object handler) {
String referer = req.getHeader("referer");
String host = req.getServerName();
// 只验证POST请求
if ("POST".equals(req.getMethod())) {
if (referer == null) {
// 状态置为404
resp.setStatus(HttpServletResponse.SC_NOT_FOUND);
return false;
}
java.net.URL url = null;
try {
url = new java.net.URL(referer);
} catch (MalformedURLException e) {
// URL解析异常,也置为404
resp.setStatus(HttpServletResponse.SC_NOT_FOUND);
return false;
}
// 首先判断请求域名和referer域名是否相同
if (!host.equals(url.getHost())) {
// 如果不等,判断是否在白名单中
if (properties.getRefererDomain() != null) {
for (String s : properties.getRefererDomain()) {
if (s.equals(url.getHost())) {
return true;
}
}
}
return false;
}
}
return true;
}
}
注册拦截器使其生效:
package com.kun.boot.adapter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@EnableWebMvc
@Configuration
public class WebConfig implements WebMvcConfigurer {
@Bean
public RefererInterceptor refererInterceptor() {
return new RefererInterceptor();
}
/**
* 注册拦截器
*/
@Override
public void addInterceptors(InterceptorRegistry registry) {
//referer拦截
registry.addInterceptor(refererInterceptor()).addPathPatterns("/**");
}
}
由于本项目需要在多个网段访问,故上文在application-referer.yml中需要配置多个地址,需要注意的是yml文件书写数组的格式,另外需要在application.properties中配置加载application-referer.yml,否则会出现上文获取的refererDomain 值为空。