问题
测试修改了Referer信息后,再次发送请求,仍可返回结果。
解决
1、在application.yml配置文件中添加需要过滤的白名单。
referer:
refererDomain:
- localhost
- 127.0.0.1
- 192.168.XX.XX
2、新增配置模板
import lombok.Data;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.List;
@Component
@Data
@ConfigurationProperties(prefix = "referer")
public class RefererProperties {
// 白名单域名
List<String> refererDomain = new ArrayList<>();
}
3、定义referer拦截器
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.net.MalformedURLException;
public class RefererInterceptor extends HandlerInterceptorAdapter {
@Autowired
private RefererProperties properties;
@Override
public boolean preHandle(HttpServletRequest req, HttpServletResponse resp, Object handler) {
String referer = req.getHeader("referer");
String host = req.getServerName("x-forwarded-for");
// 验证POST和GET请求
if ("POST".equals(req.getMethod()) || "GET".equals(req.getMethod())) {
if (referer == null) {
// 状态置为404
resp.setStatus(HttpServletResponse.SC_NOT_FOUND);
return false;
}
java.net.URL url = null;
try {
url = new java.net.URL(referer);
} catch (MalformedURLException e) {
// URL解析异常,也置为404
resp.setStatus(HttpServletResponse.SC_NOT_FOUND);
return false;
}
// 首先判断请求域名和referer域名是否相同
if (!host.equals(url.getHost())) {
// 如果不等,判断是否在白名单中
if (properties.getRefererDomain() != null) {
for (String s : properties.getRefererDomain()) {
if (s.equals(url.getHost())) {
return true;
}
}
}
resp.setStatus(HttpServletResponse.SC_NOT_FOUND);
return false;
}
}
return true;
}
}
4、注册拦截器使其生效
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@Configuration
public class WebConfig implements WebMvcConfigurer {
@Bean
public RefererInterceptor refererInterceptor() {
return new RefererInterceptor();
}
/**
* 注册拦截器
*/
@Override
public void addInterceptors(InterceptorRegistry registry) {
//referer拦截
registry.addInterceptor(refererInterceptor()).addPathPatterns("/**");
}
}
测试
如果请求时修改了referer,并且不存在在白名单中,请求被拒。