跨站请求伪造解决办法之——过滤referer

当然,referer也是可以伪造的,Http请求本身就没有不能伪造的东西。

所以本方法只能在一定程度上防止非法请求,仅供参考。

项目的web.xml中增加过滤器:

    <filter>
<filter-name>RefererFilter</filter-name>
<filter-class>com.sdyy.common.filters.RefererFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>RefererFilter</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>

项目中增加RefererFilter类:

package com.sdyy.common.filters;

import java.io.IOException;  

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; public class RefererFilter extends HttpServlet implements Filter { private static final long serialVersionUID = 1L;
private FilterConfig filterConfig; public void init(FilterConfig config) {
this.filterConfig = config;
} public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws ServletException, IOException { HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
// 链接来源地址
String referer = request.getHeader("referer");
if (referer == null || !referer.contains(request.getServerName())) {
/**
* 如果 链接地址来自其他网站,则返回错误页面
*/
request.getRequestDispatcher("/WEB-INF/error.jsp").forward(request, response);
} else {
chain.doFilter(request, response);
}
} public void destroy() {
this.filterConfig = null;
} }
上一篇:使用Intent启动组件


下一篇:PyQt5 + QtDesigner