springboot解决http host头攻击漏洞和X-Frame-Options

原文链接：https://blog.csdn.net/qq_37050372/article/details/123791576

https://blog.csdn.net/weixin_38972910/article/details/119755739

1.增加过滤器类进行host白名单过滤
package com.dg.sys.filter;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;

import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;


/**
* http host头攻击漏洞处理过滤器，
* 需要在配置文件添加allowed.servernames可访问host白名单，
* 多个host用逗号隔开，本地开发使用127.0.0.1,localhost
* @author liufr
*/
@Component
public class HostFilter implements Filter{
/**
* 自定义实现host白名单添加
*/
@Value("${allowed.servernames}")
private String ALLOWED_SERVERNAMES;

@Override
public void init(FilterConfig filterConfig) throws ServletException {
// System.out.println("Filter初始化中");
}

/**
* host拦截
*/
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
// String host = request.getHeader("host");
String serverName = request.getServerName();
System.out.println("serverName-debug:" + serverName);
if (!isEmpty(serverName)) {
if (checkBlankList(serverName)) {
filterChain.doFilter(servletRequest, servletResponse);
} else {
System.out.println("[serverName deny access tips]->" + serverName);
// response.getWriter().print("host deny");
response.setStatus(403);
response.flushBuffer();
}
} else {
filterChain.doFilter(servletRequest, servletResponse);
}

}

@Override
public void destroy() {
// System.out.println("Filter销毁");
}

/**
* 校验当前host是否在白名单中
*/
private boolean checkBlankList(String serverName) {
String[] allowdServerName = ALLOWED_SERVERNAMES.split(",");
List<String> serverNameList = Arrays.asList(allowdServerName);
for(String str : serverNameList){
if(!isEmpty(str) && str.equals(serverName)){
return true;
}
}
return false;
}

/**
* 判空
*/
public boolean isEmpty(Object str) {
return str == null || "".equals(str);
}


}
2.增加配置类定义过滤器顺序
注意：最好将host白名单过滤定义在第一位，否则在经过其他过滤器之后，可能会被绿盟扫描软件认定为漏洞依然存在。

import org.apache.catalina.Context;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory;
import org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class FilterConfig {


@Autowired
MainFilter mainFilter;//主过滤器

@Autowired
HostFilter hostFilter;//http host头攻击漏洞处理过滤器

@Bean
public FilterRegistrationBean hostfilter() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setFilter(hostFilter);
registration.addUrlPatterns("/*");
registration.setName("hostFilter");
registration.setOrder(1); // 值越小，Filter越靠前。
return registration;
}

@Bean
public FilterRegistrationBean mainfilter() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setFilter(mainFilter);
registration.addUrlPatterns("/*");
registration.setName("mainFilter");
registration.setOrder(2); // 值越小，Filter越靠前。
return registration;
}



}
3.配置文件增加配置allowed.servernames
allowed.servernames=127.0.0.1,localhost

背景：

安全团队扫描代码有安全漏洞，需要新增响应头 X-Frame-Options以防止站点劫持。

 

springboot配置全局响应头，直接新建该类即可：

package com.app.healthyCheck.Config;

import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@Component
public class AddResponseHeaderFilter extends OncePerRequestFilter {

//防止站点劫持
@Override
protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse,
FilterChain filterChain) throws ServletException, IOException {
httpServletResponse.addHeader("X-Frame-Options", "SAMEORIGIN");
filterChain.doFilter(httpServletRequest, httpServletResponse);
}
}