Refer Header検証

5282 ワード

指定したページからのリクエストでない場合は、エラーが発生していることを確認します(Bas Request:400).
// [web.xml] Filter
<filter>
	<filter-name>refererHeaderFilter</filter-name>
	<filter-class>jade.web.filter.http.header.RefererHeaderFilter</filter-class>
</filter>       
<filter-mapping>
	<filter-name>refererHeaderFilter</filter-name>
	<url-pattern>*.html</url-pattern>
</filter-mapping>
<filter-mapping>
	<filter-name>refererHeaderFilter</filter-name>
	<url-pattern>*.do</url-pattern>
</filter-mapping>
package jade.web.filter.http.header;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.lang3.StringUtils;
import org.apache.http.HttpStatus;

import lombok.AccessLevel;
import lombok.Setter;
import lombok.experimental.FieldDefaults;

/**
 * Protection by checking the Referer header and dropping it if it is not a request from a specified page (URL)
 * */
public class RefererHeaderFilter implements Filter {
	
	private static final String REFERER = "Referer";
	
	@Setter
	private List<String> allowReferers;
	
	@Override
	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
		HttpServletRequest req = (HttpServletRequest) request;
		HttpServletResponse res = (HttpServletResponse) response;
		if(!verification(req)) {
			res.sendError(HttpStatus.SC_BAD_REQUEST);
			return;
		}
		chain.doFilter(request, response);
	}

	private boolean verification(HttpServletRequest request) {
		String domain = StringUtils.trimToNull(request.getHeader(REFERER));
		if(StringUtils.isEmpty(domain)) {
			return true;
		}
		for(Iterator<String> iter = allowReferers.iterator(); iter.hasNext();) {
			if(domain.contains(/** allowReferer */iter.next())) {
				return true;
			}
		}
		return false;
	}
	
	@Override
	public void init(FilterConfig arg0) throws ServletException {}
	
	@Override
	public void destroy() {}
	
}