本文介绍了一种在SpringBoot中实现CSRF防护的方法,通过自定义拦截器检查请求来源,防止跨站请求伪造攻击。文章详细展示了拦截器的代码实现,包括如何判断请求是否来自同一站点,并在检测到跨站请求时采取相应措施。
Springboot实现csrf拦截器,仅供参考:
/**
* csrf拦截器
*
*/
@Component("csrfInterceptor")
public class CsrfInterceptor extends HandlerInterceptorAdapter
{
@Autowired
private Configuration configuration;
private static final String WEBHTTP = "http://test.com/demo";
private static final String SERVERIP_A = "http://192.168.1.3";
private static final String SERVERIP_B = "http://192.168.1.4";
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception
{
/** 解决跨站点请求 **/
if (csrfJudge(request)) {
request.getSession().invalidate();
Cookie[] cookies = request.getCookies();
if (BaseUtil.objectNotNull(cookies) && cookies.length > 0) {
Cookie cookie = cookies[0];
cookie.setMaxAge(0);
}
return false;
}
return true;
}
private boolean csrfJudge(HttpServletRequest request) {
boolean isCsrf = false;
String reqUrl = request.getRequestURL().toString();
TestLogger.COMMONLOGGER.info("请求url:"+reqUrl);
StringBuffer str = new StringBuffer();
str.append("http://");
str.append(request.getServerName());
String url = str.toString();
String referer = request.getHeader("referer");
TestLogger.TEST.info("请求referer:"+referer);
String xreq = request.getHeader("X-Requested-With");
// 判断referer是不是为空
if (!StringUtil.isEmpty(referer)) {
// referer不为空,判断referer和当前请求是否同站点
if (referer.startsWith(WEBHTTP) || referer.startsWith(SERVERIP_A) || referer.startsWith(SERVERIP_B)) {
isCsrf = false;
}else if(!referer.startsWith(url)){
// 不同站点--跨站请求
isCsrf = true;
TESTLogger.TEST.info("CSRF--跨站请求伪造。 ");
TESTLogger.TEST.info("reqUri:" + reqUrl + " referer:" + referer
+ " X-Requested-With:" + xreq);
}
}
}
return isCsrf;
}
}
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
