<filter>
<filter-name>HttpHostFilter</filter-name>
<filter-class>com.ytd.httpHostHeaderfilter.HttpHostFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>HttpHostFilter</filter-name>
<url-pattern>*.ht</url-pattern>
</filter-mapping>
web.xml添加的过滤器
package com.httpHostHeaderfilter;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.hotent.core.util.StringUtil;
public class HttpHostFilter implements Filter {
protected Logger logger = LoggerFactory.getLogger(HttpHostFilter.class);
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
//加上“点击劫持:X-Frame-Options未配置”配置
response.addHeader("X-Frame-Options","SAMEORIGIN");
//加上检测到目标Content-Security-Policy响应头缺失的问题修复
response.addHeader("Content-Security-Policy","object-src 'self'");
//关于检测到目标X-Content-Type-Options响应头缺失的问题修复
response.addHeader("X-Content-Type-Options","nosniff");
//关于检测到目标X-XSS-Protection响应头缺失的问题修复
response.addHeader("X-XSS-Protection","1; mode=block");
//关于检测到目标Strict-Transport-Security响应头缺失的问题修复
response.addHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload");
//关于检测到目标Referer-Policy响应头缺失的问题修复
response.addHeader("Referer-Policy","origin");
//关于检测到目标X-Permitted-Cross-Domain-Policies响应头缺失的问题修复
response.addHeader("X-Permitted-Cross-Domain-Policies","master-only");
//关于检测到目标X-Download-Options响应头缺失的问题修复
response.addHeader("X-Download-Options","noopen");
//关于 CORS跨域资源共享漏洞
response.addHeader("Access-Control-Allow-Origin", "");
response.addHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
response.addHeader("Access-Control-Allow-Headers", "Origin, No-Cache, X-Requested-With, If-Modified-Since, Pragma, Last-Modified, Cache-Control, Expires, Content-Type, X-E4M-With");
// 头攻击检测 过滤主机名
String requestHost = request.getHeader("host");
if (requestHost != null && !checkBlankList(requestHost)) {
response.setStatus(403);
return;
}
filterChain.doFilter(request, response);
}
//判断主机是否存在白名单中
private boolean checkBlankList(String host){
Map<String, String> msg = this.getMsg();
String ip = msg.get("ip");
host=host.replace(".", "").trim();
host=host.replace(":", "").trim();
ip=ip.replace(".", "").trim();
//此处为自己项目网站的主机地址
if(host.contains(ip)){
return true;
}
return false;
}
/**
* @return Map<String,String> ip和端口,单独抽到配置文件,方便维护
*/
public Map<String, String> getMsg() {
Map<String, String> map = new HashMap<String, String>();
String dirPath = HttpHostFilter.class.getClassLoader().getResource("/").getPath() + File.separator + "conf";
// logger.info("根路径.....dirPaht=" + dirPath);
Properties p = new Properties();
try {
// logger.info("开始,获取xx数据 ....."+sdf.format(e.getRq()));
p.load(new FileInputStream(dirPath + File.separator + "app.properties"));
String host = p.getProperty("officeIp");
if (StringUtil.isEmpty(host)) {
host = "10.151.209.77";
// host = "127.0.0.1";
}
map.put("ip", host);
} catch (Exception e1) {
e1.printStackTrace();
logger.info("初始化失败 获取配置文件ip失败--->=" + e1.getMessage());
}
// logger.info("map===" + map);
return map;
}
}
过滤器java类
标签:http,URL,javax,addHeader,host,import,servlet,response From: https://www.cnblogs.com/rdchen/p/17004997.html