當然,referer也是可以偽造的,Http請求本身就沒有不能偽造的東西。
所以本方法只能在一定程度上防止非法請求,僅供參考。
項目的web.xml中增加過濾器:
<filter> <filter-name>RefererFilter</filter-name> <filter-class>com.sdyy.common.filters.RefererFilter</filter-class> </filter> <filter-mapping> <filter-name>RefererFilter</filter-name> <url-pattern>*.do</url-pattern> </filter-mapping>
項目中增加RefererFilter類:
package com.sdyy.common.filters; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public class RefererFilter extends HttpServlet implements Filter { private static final long serialVersionUID = 1L; private FilterConfig filterConfig; public void init(FilterConfig config) { this.filterConfig = config; } public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws ServletException, IOException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; // 鏈接來源地址 String referer = request.getHeader("referer"); if (referer == null || !referer.contains(request.getServerName())) { /** * 如果 鏈接地址來自其他網站,則返回錯誤頁面 */ request.getRequestDispatcher("/WEB-INF/error.jsp").forward(request, response); } else { chain.doFilter(request, response); } } public void destroy() { this.filterConfig = null; } }