#Referer拦截 referer: enabled: true #支持配置多个域名,以,分隔。 domains: 127.0.0.1,localhost
//Referer拦截器 //@Component public class RefererInterceptor implements HandlerInterceptor { Logger log = LoggerFactory.getLogger(getClass()); //是否启用拦截。默认不启用 @Value("${referer.enabled:false}") private Boolean referer_enabled; //白名单域名。支持配置多个域名,以,分隔。 @Value("${referer.domains:}") private List<String> referer_domains; @Override public boolean preHandle(HttpServletRequest req, HttpServletResponse resp, Object handler) throws Exception { if (referer_enabled && referer_domains.size() > 0) { String referer = req.getHeader("referer"); String host = req.getServerName(); //空referer,浏览器直接访问,放行。 if (referer == null) { return true; } String refererHost; try { java.net.URL url = new java.net.URL(referer); refererHost = url.getHost(); } catch (MalformedURLException e) { // URL解析异常,也置为404 resp.setStatus(HttpServletResponse.SC_NOT_FOUND); resp.getWriter().write("非法请求,不是同源的访问。"); resp.flushBuffer(); return false; } //referer和host相同,同源的链接,放行。 if (refererHost.equals(host)) { return true; } //referer和host不同。判断是否在白名单。referer在白名单,放行。 if (referer_domains.contains(refererHost)) { return true; } //referer和host不同。且不在白名单。 log.error("referer: " + referer + ", host:" + host); resp.setStatus(HttpServletResponse.SC_NOT_FOUND); resp.getWriter().write("非法请求,不是同源的访问。"); resp.flushBuffer(); return false; } return true; } }
@Configuration public class WebConfig implements WebMvcConfigurer { //@Autowired //RefererInterceptor refererInterceptor; @Bean public RefererInterceptor refererInterceptor() { return new RefererInterceptor(); } //注册拦截器 @Override public void addInterceptors(InterceptorRegistry registry) { //referer拦截 //registry.addInterceptor(refererInterceptor); registry.addInterceptor(refererInterceptor()); } }