Refer Header検証
5282 ワード
指定したページからのリクエストでない場合は、エラーが発生していることを確認します(Bas Request:400).
// [web.xml] Filter
<filter>
<filter-name>refererHeaderFilter</filter-name>
<filter-class>jade.web.filter.http.header.RefererHeaderFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>refererHeaderFilter</filter-name>
<url-pattern>*.html</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>refererHeaderFilter</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
package jade.web.filter.http.header;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.HttpStatus;
import lombok.AccessLevel;
import lombok.Setter;
import lombok.experimental.FieldDefaults;
/**
* Protection by checking the Referer header and dropping it if it is not a request from a specified page (URL)
* */
public class RefererHeaderFilter implements Filter {
private static final String REFERER = "Referer";
@Setter
private List<String> allowReferers;
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
if(!verification(req)) {
res.sendError(HttpStatus.SC_BAD_REQUEST);
return;
}
chain.doFilter(request, response);
}
private boolean verification(HttpServletRequest request) {
String domain = StringUtils.trimToNull(request.getHeader(REFERER));
if(StringUtils.isEmpty(domain)) {
return true;
}
for(Iterator<String> iter = allowReferers.iterator(); iter.hasNext();) {
if(domain.contains(/** allowReferer */iter.next())) {
return true;
}
}
return false;
}
@Override
public void init(FilterConfig arg0) throws ServletException {}
@Override
public void destroy() {}
}
Reference
この問題について(Refer Header検証), 我々は、より多くの情報をここで見つけました https://velog.io/@winn85/1111テキストは自由に共有またはコピーできます。ただし、このドキュメントのURLは参考URLとして残しておいてください。
Collection and Share based on the CC Protocol