HTTP Referer是header的一部分,当浏览器向web服务器发送请求的时候,会带上Referer,通过验证Referer,可以判断请求的合法性,如果Referer是其他网站的话,就有可能是CSRF攻击,则拒绝该请求。
request.getSchema()可以返回当前页面使用的协议,http 或是 https;
request.getServerName()可以返回当前页面所在的服务器的名字;
public class ReferrerInterceptor implements HandlerInterceptor {
static final Logger logger = LogManager.getLogger(ReferrerInterceptor.class);
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
String referrer = request.getHeader("referer");
logger.debug("referrer:{}",referrer);
StringBuffer stringBuffer = new StringBuffer();
stringBuffer.append(request.getScheme()).append("://").append(request.getServerName());
logger.debug("basePath:{}",stringBuffer);
if(referrer==null||referrer.equals("")||referrer.lastIndexOf(String.valueOf(stringBuffer))==0){
return true;
}
else{
return false;
}
}
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
}
@Override
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
}
}
