一个比较好用的CSRF跨站请求伪造工具类

前言描述：最近项目里，安全测试组发现通过SQL注入可以轻松登录后台管理系统，于是就加了个CSRF跨站请求伪造功能，防止被恶意登录。
以下是代码部分：

package com.faw.***.common.xss;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class CSRFFilter implements Filter {
    private FilterConfig filterConfig = null;
    @Override
    public void destroy() {
        this.filterConfig = null;
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        System.out.println("==进入CSRF过滤器===");
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse resp = (HttpServletResponse) response;
        // 从http头中获取Referer
        String referer = req.getHeader("Referer");
        // 系统配置的referer头信息
        String myReferer = filterConfig.getInitParameter("referer");
        int count = 0;
        if (myReferer !=null){
            if (myReferer.trim().length() > 0) {
                String[] myReferers = myReferer.split(",");
                for (int i = 0; i < myReferers.length; i++) {
                    if (referer != null && !referer.trim().startsWith(myReferers[i])) {
                        count++;
                    } else {
                        chain.doFilter(request, response);
                        break;
                    }
                }
                if (count == myReferers.length) {
                    System.out.println("检测到您发送的请求可能为跨站伪造请求1:" + HttpServletResponse.SC_BAD_REQUEST);
                    resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
                    return;
                }
            }
        }

        System.out.println("==结束CSRF过滤器===");
    }
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        this.filterConfig = filterConfig;
    }
}

工具类写完了，下面是在Filter过滤器配置文件中注册使用该工具类。

package com.faw.***.common.config;

import com.faw.***.common.xss.CSRFFilter;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.filter.DelegatingFilterProxy;
import com.google.common.collect.Maps;

import java.util.List;
import java.util.Map;

import javax.servlet.DispatcherType;

/**
 * Filter配置
 */
@Configuration
public class FilterConfig {
    @Value("#{'${referer-domains}'}")	//注释1
    private String domains;
    @Bean
    public FilterRegistrationBean csrfFilterRegistration() {
        FilterRegistrationBean registration = new FilterRegistrationBean();
        registration.setDispatcherTypes(DispatcherType.REQUEST);
        registration.setFilter(new CSRFFilter());
        registration.addUrlPatterns("/*");
        registration.setName("csrfFilter");
        registration.setEnabled(true);
        Map<String, String> initParameters = Maps.newHashMap();
        initParameters.put("referer", domains);
        registration.setInitParameters(initParameters);
        registration.setOrder(Integer.MAX_VALUE-2);
        return registration;
    }
}

注释1：参数domains是为方法initParameters.put(“referer”, domains)提供合法访问网站的域名，注解@Value("#{’${referer-domains}’}") 用于从application配置文件中取出配置参数值。
本项目中的写法为：
referer-domains: http://localhost,http://119.*.**.***
表示既可以用本机IP也可以用测试服务器IP做合法域名。