实践出真知,本教程简单粗暴
1.直接贴代码
package ***.***.referer;
import java.util.List;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.stereotype.Component;
import lombok.Data;
@Data
@Component
@ConfigurationProperties(prefix = "referer")
public class RefererProperties {
// 白名单域名
private List<String> refererDomain;
}
package ***.***.referer;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport;
@Configuration
public class InterceptorConfig extends WebMvcConfigurationSupport {
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(new RefererFilter());
}
}
package ***.***.referer;
import java.net.MalformedURLException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import lombok.extern.slf4j.Slf4j;
@Slf4j
public class RefererFilter extends HandlerInterceptorAdapter {
@Autowired
private RefererProperties properties;
@Override
public boolean preHandle(HttpServletRequest req, HttpServletResponse resp, Object handler) throws Exception {
String referer = req.getHeader("referer");
String host = req.getServerName();
// 只验证POST请求
if ("POST".equals(req.getMethod()) || "GET".equals(req.getMethod())) {
if (referer == null) {
// 状态置为404
resp.setStatus(HttpServletResponse.SC_NOT_FOUND);
return false;
}
java.net.URL url = null;
try {
url = new java.net.URL(referer);
} catch (MalformedURLException e) {
log.error("非正常访问" + e.getMessage());
// URL解析异常,也置为404
resp.setStatus(HttpServletResponse.SC_NOT_FOUND);
return false;
}
// 首先判断请求域名和referer域名是否相同
if (!host.equals(url.getHost())) {
// 如果不等,判断是否在白名单中
if (properties.getRefererDomain() != null) {
for (String s : properties.getRefererDomain()) {
if (s.equals(url.getHost())) {
return true;
}
}
}
log.error("非正常域名访问");
// URL解析异常,也置为404
resp.setStatus(HttpServletResponse.SC_NOT_FOUND);
return false;
}
}
return true;
}
}
application.yml配置白名单
#===================================================================
# referer白名单配置
#===================================================================
referer:
refererDomain:
- baidu.com
- google.com
2.利用postman测试防盗链功能
当传的Refere不在白名单或不是源地址,服务器便会返回404,教程结束,不明白的可以私信。