Implementation of jsp to prevent cross-Origin data submission

Copy codeThe Code is as follows:
// ArgsIsValidFilter. java filter code list:
Package com. hety. uitl;

Import java. io. IOException;
Import java. util. Enumeration;

Import javax. servlet. Filter;
Import javax. servlet. FilterChain;
Import javax. servlet. FilterConfig;
Import javax. servlet. ServletException;
Import javax. servlet. ServletRequest;
Import javax. servlet. ServletResponse;
Import javax. servlet. http. HttpServletRequest;
Import javax. servlet. http. HttpServletResponse;

Import org. apache. commons. logging. Log;
Import org. apache. commons. logging. LogFactory;

Public class ArgsIsValidFilter implements Filter {

Private static Log log = LogFactory. getLog (ArgsIsValidFilter. class );

Public void destroy (){

}

@ SuppressWarnings ("unchecked ")
Public void doFilter (ServletRequest arg0, ServletResponse arg1, FilterChain arg2) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) arg0;
HttpServletResponse response = (HttpServletResponse) arg1;
String servername_str = request. getServerName ();
String currentURI = request. getRequestURI ();
Enumeration headerValues = request. getHeaders ("Referer ");
String tmpHeaderValue = "";
Boolean isValid = true;
// Specify the page address to skip interception. To add a page address, you can directly add it to the array.
// "Suggestion"
String [] ignoreURIS = {"/back /",
"/Info. jsp ",
"/Pzxx. jsp"
};
While (headerValues. hasMoreElements ()){
// Get the complete path like "http://www.domain.com.cn: 8023/front/zwgk. jsp? Id = 1283"
TmpHeaderValue = (String) headerValues. nextElement ();
}

If (log. isInfoEnabled ()){
Log.info ("the url obtained is:" + tmpHeaderValue );
Log.info ("the url obtained by the system is:" + currentURI );
}

If ("". equals (tmpHeaderValue )){
IsValid = false;
If (log. isInfoEnabled ()){
Log.info ("the url obtained is empty ");
Log.info ("the url obtained by the system is:" + currentURI );
Log.info ("system prompt: the request may come from an external domain! ");
}

} Else {
If (log. isInfoEnabled ()){
Log.info ("the obtained parameter length is:" + tmpHeaderValue. length ());
}
TmpHeaderValue = tmpHeaderValue. toLowerCase ();
Servername_str = servername_str.toLowerCase ();

Int len = 0;
If (tmpHeaderValue. startsWith ("https ://")){
Len = 8;
} Else if (tmpHeaderValue. startsWith ("http ://")){
Len = 7;
}

If (log. isInfoEnabled ()){
Log.info ("the string before truncation is:" + tmpHeaderValue );
Log.info ("starting from the" + len + "bit, the truncation length is:" + servername_str.length ());
}
String tmp = tmpHeaderValue. substring (len, servername_str.length () + len );
If (log. isInfoEnabled ()){
Log.info ("the intercepted string is:" + tmp );
}
If (tmp. length () <servername_str.length () {// insufficient length
IsValid = false;
If (log. isInfoEnabled ()){
Log.info ("the intercepted string is not long enough, and the request may come from an external domain! ");
}
} Else if (! Tmp. equals (servername_str) {// compare whether the string (host name) is the same
IsValid = false;
If (log. isInfoEnabled ()){
Log.info ("domain name match failed, request from external domain! ");
}
}
}


// Skip the specified page address to intercept
For (String ignoreURI: ignoreURIS ){
If (currentURI. contains (ignoreURI )){
IsValid = true;
If (log. isInfoEnabled ()){
Log.info ("the system has skipped checking the following url:" + currentURI );
}
}
}

If (! IsValid ){

If (log. isInfoEnabled ()){
Log.info ("system prompt: the URL is a cross-origin request and will be redirected to the homepage. ");
}
Response. sendRedirect ("/index.html ");
} Else {
Arg2.doFilter (arg0, arg1 );
}
}

Public void init (FilterConfig arg0) throws ServletException {

}

}