跨站点请求伪造漏洞

解决办法:写一个filter进行拦截

package frameWork.common.core.filter;

import java.io.IOException;
import java.util.ArrayList;
import java.util.List;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

public class FilterHttpServlertRequest implements Filter {
    private List<String> list = new ArrayList<String>();  //这些链接要进行登录检查

    @Override
    public void destroy() {
        // TODO Auto-generated method stub

    }

    @Override
    public void doFilter(ServletRequest arg0, ServletResponse arg1,
            FilterChain chain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) arg0;
        HttpServletResponse response = (HttpServletResponse) arg1;
        HttpSession session = request.getSession();
        String customerNo = (String) session.getAttribute("customerno");
        StringBuffer url = request.getRequestURL();
//解决跨站点请求伪造
        String referer = request.getHeader("Referer");
        if ((referer != null)
                && !(referer.trim().startsWith("http://www.51huoniu.com")
                        || referer.trim().startsWith("http://51huoniu.com")
                        || referer.trim().startsWith("http://www.huoniu18.com")
                        || referer.trim().startsWith("http://localhost:8080") || referer
                        .trim().startsWith("http://121.41.112.100:8888"))) {
            response.sendRedirect("/webpage/index.jsp");
        }

        if (customerNo == null || "".equals(customerNo)) {
            for (String u : list) {
                if (url.toString().indexOf(u) > 0) {
                    response.sendRedirect("/webpage/index.jsp");
                }
            }
        }
        chain.doFilter(request, response);

    }

    @Override
    public void init(FilterConfig arg0) throws ServletException {
        String byDay = arg0.getInitParameter("byDay");
        String byMonth = arg0.getInitParameter("byMonth");
        String myForce = arg0.getInitParameter("myForce");
        String myFance = arg0.getInitParameter("myFance");
        String myPackage = arg0.getInitParameter("myPackage");
        String smrz = arg0.getInitParameter("smrz");
        list.add(smrz);
        list.add(myPackage);
        list.add(byDay);
        list.add(byMonth);
        list.add(myForce);
        list.add(myFance);
    }

}



  <filter>
    <filter-name>jsp</filter-name>
    <filter-class>frameWork.common.core.filter.FilterHttpServlertRequest</filter-class>
    <init-param>
      <param-name>byDay</param-name>
      <param-value>/webpage/personalCenter/byDay</param-value>
    </init-param>
     <init-param>
      <param-name>byMonth</param-name>
      <param-value>/webpage/personalCenter/byMonth</param-value>
    </init-param>
     <init-param>
      <param-name>myForce</param-name>
      <param-value>/personalCenter/myGZ</param-value>
    </init-param>
    <init-param>
      <param-name>myFance</param-name>
      <param-value>/personalCenter/myFans</param-value>
    </init-param>
      <init-param>
      <param-name>myPackage</param-name>
      <param-value>/webpage/personalCenter/p_redpackage</param-value>
    </init-param>
     <init-param>
      <param-name>smrz</param-name>
      <param-value>/webpage/customerInfo/smrz</param-value>
    </init-param>
  </filter>
   <filter-mapping>
    <filter-name>jsp</filter-name>
    <url-pattern>*.jsp</url-pattern>
  </filter-mapping>
 
  <filter-mapping>
    <filter-name>jsp</filter-name>
    <url-pattern>*.do</url-pattern>
  </filter-mapping>

如:wKiom1UQNVzwh-sLAAIE11Y9jqs302.jpg

你可能感兴趣的:(跨站点请求,伪造漏洞)