对于三方接口,为减少复杂度,可不用鉴权方式,而是通过配置IP白名单来保证接口安全。具体做法是拦截请求,过滤IP,对符合白名单的IP予以放行。
三方接口,不想通过鉴权的方式,减少复杂度,可以通过配置ip白名单的方式保证接口安全。
拦截请求,过滤ip,放行
package org.ezplatform.office.evo.interceptors;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.ezplatform.office.evo.utils.IPUitls;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.util.Assert;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* IP 白名单 拦截器
*
* @author
* @date 2022/6/15 11:22
*/
public class IPInterceptor extends HandlerInterceptorAdapter {
private static final Log log = LogFactory.getLog(IPInterceptor.class);
@Value("${ip.white:}")
private String ipWhite;
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
if (StringUtils.isNotBlank(ipWhite)) {
String ip = getIpAddress(request);
log.debug("请求ip:" + ip);
Assert.notNull(ipWhite, "请配置IP白名单");
// 判断请求ip地址 是否在白名单呢
if (IPUitls.checkLoginIP(ip, ipWhite)) {
return super.preHandle(request, response, handler);
}
throw new Exception("IP非法访问!");
}
return true;
}
/**
* 获取ip地址
*
* @param request
* @return
*/
public String getIpAddress(HttpServletRequest request) {
String ip = request.getHeader("x-forwarded-for");
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("Proxy-Client-IP");
}
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("WL-Proxy-Client-IP");
}
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("HTTP_CLIENT_IP");
}
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("HTTP_X_FORWARDED_FOR");
}
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getRemoteAddr();
}
//对于通过多个代理的情况,第一个IP为客户端真实IP,多个IP按照','分割
//"***.***.***.***".length() = 15
if (ip != null && ip.length() > 15) {
if (ip.indexOf(",") > 0) {
ip = ip.substring(0, ip.indexOf(","));
}
}
return ip;
}
}
package org.ezplatform.office.evo.utils;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.regex.Pattern;
/**
* IP 工具类
*
* @author
* @date 2022/6/15 13:32
*/
public class IPUitls {
// IP的正则
private static Pattern pattern = Pattern.compile("(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\."
+ "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\."
+ "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\."
+ "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})");
/**
* 根据IP白名单设置获取可用的IP列表
*
* @param allowIp
* @return
*/
private static Set getAvaliIpList(String allowIp) {
Set<String> ipList = new HashSet();
for (String allow : allowIp.replaceAll("\\s", "").split(";")) {
if (allow.indexOf("*") > -1) {
String[] ips = allow.split("\\.");
String[] from = new String[]{"0", "0", "0", "0"};
String[] end = new String[]{"255", "255", "255", "255"};
List<String> tem = new ArrayList();
for (int i = 0; i < ips.length; i++)
if (ips[i].indexOf("*") > -1) {
tem = complete(ips[i]);
from[i] = null;
end[i] = null;
} else {
from[i] = ips[i];
end[i] = ips[i];
}
StringBuffer fromIP = new StringBuffer();
StringBuffer endIP = new StringBuffer();
for (int i = 0; i < 4; i++) {
if (from[i] != null) {
fromIP.append(from[i]).append(".");
endIP.append(end[i]).append(".");
} else {
fromIP.append("[*].");
endIP.append("[*].");
}
}
fromIP.deleteCharAt(fromIP.length() - 1);
endIP.deleteCharAt(endIP.length() - 1);
for (String s : tem) {
String ip = fromIP.toString().replace("[*]",
s.split(";")[0])
+ "-"
+ endIP.toString().replace("[*]", s.split(";")[1]);
if (validate(ip)) {
ipList.add(ip);
}
}
} else {
if (validate(allow)) {
ipList.add(allow);
}
}
}
return ipList;
}
/**
* 对单个IP节点进行范围限定
*
* @param arg
* @return 返回限定后的IP范围,格式为List[10;19, 100;199]
*/
private static List complete(String arg) {
List com = new ArrayList();
if (arg.length() == 1) {
com.add("0;255");
} else if (arg.length() == 2) {
String s1 = complete(arg, 1);
if (s1 != null) {
com.add(s1);
}
String s2 = complete(arg, 2);
if (s2 != null) {
com.add(s2);
}
} else {
String s1 = complete(arg, 1);
if (s1 != null) {
com.add(s1);
}
}
return com;
}
private static String complete(String arg, int length) {
String from = "";
String end = "";
if (length == 1) {
from = arg.replace("*", "0");
end = arg.replace("*", "9");
} else {
from = arg.replace("*", "00");
end = arg.replace("*", "99");
}
if (Integer.valueOf(from) > 255) {
return null;
}
if (Integer.valueOf(end) > 255) {
end = "255";
}
return from + ";" + end;
}
/**
* 在添加至白名单时进行校验
*
* @param ip
* @return
*/
private static boolean validate(String ip) {
for (String s : ip.split("-")) {
if (!pattern.matcher(s).matches()) {
return false;
}
}
return true;
}
/**
* checkLoginIP:(根据IP,及可用Ip列表来判断ip是否包含在白名单之中).
*
* @param ip
* @param ipList
* @return
*/
public static boolean checkLoginIP(String ip, Set<String> ipList) {
if (ipList.contains(ip)) {
return true;
} else {
for (String allow : ipList) {
if (allow.indexOf("-") > -1) {
String[] from = allow.split("-")[0].split("\\.");
String[] end = allow.split("-")[1].split("\\.");
String[] tag = ip.split("\\.");
// 对IP从左到右进行逐段匹配
boolean check = true;
for (int i = 0; i < 4; i++) {
int s = Integer.valueOf(from[i]);
int t = Integer.valueOf(tag[i]);
int e = Integer.valueOf(end[i]);
if (!(s <= t && t <= e)) {
check = false;
break;
}
}
if (check) {
return true;
}
}
}
}
return false;
}
/**
* 根据白名单校验ip
*
* @param ip
* @param ipWhiteConfig
* @return
*/
public static boolean checkLoginIP(String ip, String ipWhiteConfig) {
Set ipList = getAvaliIpList(ipWhiteConfig);
return checkLoginIP(ip, ipList);
}
public static void main(String[] args) {
String ipWhite = "192.168.50.*;192.168.50.1-192.168.50.56";
System.out.println(checkLoginIP("192.168.50.60",getAvaliIpList(ipWhite)));
}
}
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
