防止CSRF filter拦截验证

参考: https://www.ibm.com/developerworks/cn/web/1102_niugang_csrf/

0 拦截每个页面并为其设置sessionToken cookie 

1 需要特殊拦截验证(涉及数据更新保存)哪些页面 在web.xml 配置 

2 在拦截器 拦截 Ajax 提交的header 进行对比

web.xml 设置需要拦截验证的页面

<!-- xxxxxxFilter start -->

<filter>

<filter-name>xxxxxxFilter</filter-name>

<filter-class>xx.xxxxxx.xxxx.filters.xxxxFilter</filter-class>

<init-param>

<param-name>interceptList</param-name>

<param-value>/xxxxxxSave.htm,/xxxxxxxxSave.htm,/xxxxxSave.htm,/xxxxx.htm</param-value>

</init-param>

</filter>

<!-- xxxxxxFilter end -->

<!-- xxxxxxFilter URL start -->

<filter-mapping>

<filter-name>xxxxxxFilter</filter-name>

<url-pattern>*.htm</url-pattern>

</filter-mapping>

<!-- xxxxxxFilter URL --> 

package xx.xxxx.xxxx.filters;

import java.io.IOException;

import java.util.ArrayList;

import java.util.Arrays;

import java.util.List;

import java.util.UUID;

import javax.servlet.Filter;

import javax.servlet.FilterChain;

import javax.servlet.FilterConfig;

import javax.servlet.ServletException;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import javax.servlet.http.Cookie;

import javax.servlet.http.HttpServlet;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import javax.servlet.http.HttpSession;

import org.apache.commons.lang.StringUtils;

import org.apache.logging.log4j.LogManager;

import org.apache.logging.log4j.Logger;

import org.sPRingframework.stereotype.Component;

@Component

public class XxxxxFilterextends HttpServletimplements Filter {

/**

* CSRF Filter

*/

private static final long serialVersionUID = 5497744146730186671L;

private static final Logger log = LogManager.getLogger(RequestFilter.class);

privatestaticfinal StringCSRF_TOKEN ="csrftoken";

List<String> interceptList =new ArrayList<String>();

@Override

public void doFilter(ServletRequest arg0, ServletResponsearg1, FilterChainchain)

throws IOException, ServletException {

HttpServletRequest request = (HttpServletRequest) arg0;

HttpServletResponse response = (HttpServletResponse) arg1;

HttpSession session =request.getSession();

String uri =request.getRequestURI();

// GET SESSION CSRFTOKEN

String sToken = (String)session.getAttribute(CSRF_TOKEN);

if (isIntercept(uri)) {

//   获取 ajax 提交的 header 

String xhrToken =request.getHeader(CSRF_TOKEN);

if (sToken ==null ||xhrToken ==null || !sToken.equals(xhrToken)) {

response.sendError(400);

log.info("Error Code 400 ");

return;

}

}

// CREATE NEW TOKEN INPUT SESSION

sToken = UUID.randomUUID().toString();

session.setAttribute(CSRF_TOKEN,sToken);

Cookie cookie =new Cookie(CSRF_TOKEN,sToken);

cookie.setMaxAge(-1);// BROWSER CLOSE COOKIE LOSE EFFICACY

response.addCookie(cookie);

chain.doFilter(request,response);

}

public void init(FilterConfig config) throws ServletException {

String strInterceptList =config.getInitParameter("interceptList");

if (strInterceptList !=null && strInterceptList.length() > 0) {

interceptList = Arrays.asList(strInterceptList.split(","));

} else {

interceptList =new ArrayList<String>();

}

}

private boolean isIntercept(String uri) {

return isContained(uri,interceptList);

}

private boolean isContained(String uri, List<String>listTmp) {

for (Stringtmp :listTmp) {

if (StringUtils.contains(uri,tmp)) {

returntrue;

}

}

returnfalse;

}

}

《写的不好 如果有好的方法请指点一二 谢谢 ！！！》