• Example Search by API
• Example Search by Word
• Project Search
• Top Packages
• Top Classes
• Top Methods
• Top Projects

• Java
• C++
• Python
• Scala
• Blog

• framework-master
  • src
    • main
      • resources
        • application.yml
        • META-INF
          • additional-spring-configuration-metadata.json
        • logback-spring.xml
        • banner.txt
      • java
        • com
          • gyoomi
            • example
              • ExampleMapper.java
              • ExampleController.java
              • ExampleService.java
              • Example.java
            • FrameworkApplication.java
            • adam
              • core
                • BaseController.java
                • utils
                  • ArithmeticUtils.java
                  • DateUtils.java
                • CHERRY.java
                • jwt
                  • JwtUser.java
                  • JwtTokenUtils.java
                  • UserDetailsServiceImpl.java
                  • JwtAuthority.java
                • AdamConstants.java
                • properties
                  • AdamStatus.java
                  • AdamProperties.java
                  • JwtTokenProperties.java
                • BaseService.java
                • GlobalExceptionHandler.java
                • config
                  • MyBatisPlusConfig.java
                  • WebSecurityConfig.java
                • thread
                  • BaseThread.java
                  • BasePeriodThread.java
                  • Mail.java
                  • BaseTaskEventThread.java
                  • FrameWorkMailSender.java
                • BusinessException.java
                • model
                  • PageSort.java
                  • UserSession.java
                  • Response.java
                • filter
                  • InterfaceAccessKeyFilter.java
                  • TokenFilter.java
                  • PermissionFilter.java
                  • CsrfFilter.java
                  • TokenSessionFilter.java
              • rbac
                • dao
                  • MenuMapper.java
                  • UserMapper.java
                  • InterfaceClientMapper.java
                • enums
                  • MenuType.java
                  • LogOperatorType.java
                  • LogBusinessType.java
                • service
                  • UserService.java
                • model
                  • RoleMenu.java
                  • LoginLog.java
                  • UserRole.java
                  • Log.java
                  • Menu.java
                  • Dept.java
                  • request
                    • LoginVO.java
                  • Role.java
                  • InterfaceClient.java
                  • User.java
                • controller
                  • IndexController.java
    • test
      • java
        • com
          • gyoomi
            • test
              • TestClass.java
  • pom.xml
  • LICENSE
  • README.md
  • .gitignore
  • doc
    • init.sql
    • asserts

/**
 * Copyright © 2019, Glodon Digital Supplier BU.
 * <p>
 * All Rights Reserved.
 */

package com.gyoomi.adam.core.filter;

import com.gyoomi.adam.core.BaseController;
import com.gyoomi.adam.core.CHERRY;
import com.gyoomi.adam.core.model.Response;
import com.gyoomi.adam.core.properties.AdamProperties;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.data.redis.core.StringRedisTemplate;
import org.springframework.util.AntPathMatcher;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.List;

/**
 * Csrf攻防Filter
 *
 * @author Leon
 * @date 2019-10-22 16:10
 */
public class CsrfFilter implements Filter {

    /**
     * Logger
     */
    private final Logger lg = LoggerFactory.getLogger(this.getClass());

    @Override
    public void doFilter(ServletRequest req, ServletResponse resp, FilterChain filterChain) throws IOException, ServletException {
        if (isExclusives((HttpServletRequest) req) || checkCsrfToken(req)) {
            filterChain.doFilter(req, resp);
        } else {
            lg.warn("无效的CSRF参数：{}", ((HttpServletRequest) req).getRequestURI());
            Response response = Response.builder().code(HttpServletResponse.SC_SERVICE_UNAVAILABLE).msg("无效的CSRF参数").build();
            BaseController.writeJsonResponse(response, (HttpServletResponse) resp);
        }
    }

    /**
     * 检查CSRF Token
     *
     * @param req   ServletRequest
     */
    private boolean checkCsrfToken(ServletRequest req) {
        AdamProperties adamProperties = CHERRY.SPRING_CONTEXT.getBean(AdamProperties.class);
        boolean isValid = false;

        String csrf = ((HttpServletRequest) req).getHeader(adamProperties.getCsrf().getHeaderName());
        if (StringUtils.isBlank(csrf)) {
            csrf = req.getParameter(adamProperties.getCsrf().getRequestName());
        }

        if (StringUtils.isNotBlank(csrf)) {
            Boolean hasKey = CHERRY.SPRING_CONTEXT.getBean(StringRedisTemplate.class).hasKey(CHERRY.REDIS_KEY_CSRF + csrf);
            isValid = hasKey == null ? false : hasKey;
        }

        return isValid;
    }

    /**
     * 过滤非认证URL
     * <p>和Spring Security的白名单类似</p>
     *
     * @param request req
     * @return 返回结果
     */
    private boolean isExclusives(HttpServletRequest request) {
        List<String> exclusivePath = CHERRY.SPRING_CONTEXT.getBean(AdamProperties.class).getSecurity().getExclusivePath();
        AntPathMatcher antPathMatcher = new AntPathMatcher();
        String requestURI = request.getRequestURI();
        for (String exclusive : exclusivePath) {
            if (antPathMatcher.match(exclusive, requestURI)) {
                return true;
            }
        }
        return false;
    }
}