防止CSRF filter拦截验证
来源:互联网 发布:阿里云时间服务器地址 编辑:程序博客网 时间:2024/05/04 08:15
参考: https://www.ibm.com/developerworks/cn/web/1102_niugang_csrf/
0 拦截每个页面并为其设置sessionToken cookie
1 需要特殊拦截验证(涉及数据更新保存)哪些页面 在web.xml 配置
2 在拦截器 拦截 ajax 提交的header 进行对比
web.xml 设置需要拦截验证的页面
<!-- xxxxxxFilter start -->
<filter>
<filter-name>xxxxxxFilter</filter-name>
<filter-class>xx.xxxxxx.xxxx.filters.xxxxFilter</filter-class>
<init-param>
<param-name>interceptList</param-name>
<param-value>/xxxxxxSave.htm,/xxxxxxxxSave.htm,/xxxxxSave.htm,/xxxxx.htm</param-value>
</init-param>
</filter>
<!-- xxxxxxFilter end -->
<!-- xxxxxxFilter URL start -->
<filter-mapping>
<filter-name>xxxxxxFilter</filter-name>
<url-pattern>*.htm</url-pattern>
</filter-mapping>
<!-- xxxxxxFilter URL -->
package xx.xxxx.xxxx.filters;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.UUID;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.stereotype.Component;
@Component
public class XxxxxFilterextends HttpServletimplements Filter {
/**
* CSRF Filter
*/
private static final long serialVersionUID = 5497744146730186671L;
private static final Logger log = LogManager.getLogger(RequestFilter.class);
privatestaticfinal StringCSRF_TOKEN ="csrftoken";
List<String> interceptList =new ArrayList<String>();
@Override
public void doFilter(ServletRequest arg0, ServletResponsearg1, FilterChainchain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) arg0;
HttpServletResponse response = (HttpServletResponse) arg1;
HttpSession session =request.getSession();
String uri =request.getRequestURI();
// GET SESSION CSRFTOKEN
String sToken = (String)session.getAttribute(CSRF_TOKEN);
if (isIntercept(uri)) {
// 获取 ajax 提交的 header
String xhrToken =request.getHeader(CSRF_TOKEN);
if (sToken ==null ||xhrToken ==null || !sToken.equals(xhrToken)) {
response.sendError(400);
log.info("Error Code 400 ");
return;
}
}
// CREATE NEW TOKEN INPUT SESSION
sToken = UUID.randomUUID().toString();
session.setAttribute(CSRF_TOKEN,sToken);
Cookie cookie =new Cookie(CSRF_TOKEN,sToken);
cookie.setMaxAge(-1);// BROWSER CLOSE COOKIE LOSE EFFICACY
response.addCookie(cookie);
chain.doFilter(request,response);
}
public void init(FilterConfig config) throws ServletException {
String strInterceptList =config.getInitParameter("interceptList");
if (strInterceptList !=null && strInterceptList.length() > 0) {
interceptList = Arrays.asList(strInterceptList.split(","));
} else {
interceptList =new ArrayList<String>();
}
}
private boolean isIntercept(String uri) {
return isContained(uri,interceptList);
}
private boolean isContained(String uri, List<String>listTmp) {
for (Stringtmp :listTmp) {
if (StringUtils.contains(uri,tmp)) {
returntrue;
}
}
returnfalse;
}
}
《写的不好 如果有好的方法请指点一二 谢谢 !!!》
- 防止CSRF filter拦截验证
- php--- 验证表单,防止csrf
- Spring MVC中防止csrf攻击的拦截器示例
- 嗯嗯,老了,写点东西防止忘记(1) 基于验证token防止csrf攻击
- java csrf过滤filter
- 防止CSRF攻击
- 防止CSRF攻击
- 如何防止CSRF
- php防止csrf
- Csrf攻击与防止
- Springboot实现filter拦截token验证和跨域
- 【Filter】拦截器Filter
- MVC中防止CSRF攻击
- 防止CSRF跨域攻击
- 防止CSRF攻击与protect_from_forgery
- SameSite Cookie,防止 CSRF 攻击
- Yii的csrf验证
- yii的csrf验证
- 夕拾算法进阶篇:35)最小生成树Kruskal(图论)
- 第一天
- 分布式存储系统
- MFC 程序入口和执行流程
- [gdc16]<荣耀战魂>(<ForHonor>)的动画技术
- 防止CSRF filter拦截验证
- Python与人工神经网络(2)——使用神经网络识别手写图像
- 【Spring 核心】装配Bean(一) 自动化装配
- WinForm设置主窗体为固定大小(禁止调整大小)
- Android编译系统产品线(基于友善之臂tin4412 android5.0系统)
- java-异常
- 语句-break语句和continue语句
- 20170219C++项目班02_02递归下降算法/解析器/Scanner实现
- dubbo服务压力测试