通过判断请求Header中的Referer来防止伪造请求

其实不会根本性的解决这个问题。

解决方法：

在web.xml中增加：

    
        refererFilter
        ltd.miku.web.securityenhance.xss.RefererFilter
    
    
        refererFilter
        /*
        REQUEST
    

然后RefererFilter的内容是：

import com.inspur.ssr.web.system.service.impl.ExpireSessionImpl;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Service;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;

@Service
public class RefererFilter implements Filter
{
    private static final Logger logger = LoggerFactory.getLogger(RefererFilter.class);

    public void init(FilterConfig filterConfig) throws ServletException
    {
        logger.debug(" init {} but actually do nothing.", getClass().getName());
    }

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException

    {
        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
        HttpServletResponse httpServletResponse = (HttpServletResponse) response;
        String rawReferer = httpServletRequest.getHeader("referer");
        boolean legal = false;
        if (StringUtils.isBlank(rawReferer))
        {
            legal = true;
        }
        else
        {
            try
            {
                URL url = new URL(rawReferer);
                String clientIp = httpServletRequest.getRemoteAddr();
                String referIp = url.getHost();
                String localIp = httpServletRequest.getLocalAddr();

                if (StringUtils.equals(clientIp, referIp))
                {
                    legal = true;
                }
                if (StringUtils.equals("localhost", referIp) || StringUtils.equals("127.0.0.1", referIp) || StringUtils.equals(localIp, referIp))
                {
                    legal = true;
                }
            }
            catch (MalformedURLException e)
            {
                e.printStackTrace();
            }
        }

        if (!legal)
        {
            logger.warn(" illegal referer: {}", rawReferer);
            httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
        }
        else
        {
            chain.doFilter(request, response);
        }

    }

    public void destroy()
    {
        logger.debug(" destroy {} but actually do nothing.", getClass().getName());
    }
}

虽然代码写的比较翔，但是好歹是能用的。。。。。↑↑↑↑↑↑注意有待优化，无法直接生产用↑↑↑↑↑