Application examples of Java anti-theft chain in report

Source: Internet
Author: User

Today we talk about Java anti -hotlinking, more useless, directly on the application case.

The tool used here is the report software Finereport, with a decision-making system (a Web front-end display system, mainly for the rights control), you can use the Java anti-theft chain way to achieve page permissions.

When you enter the URL of the report directly in the browser, its header file is empty, so you can make two judgments at the time of the visit: whether the header file is empty and what page to jump on, if it does not match jump to error page.

What is Referer?

Here Referer refers to the HTTP header of a field, also known as the HTTP Source address (HTTP Referer), to indicate where to link to the current page, in the format is a URL. In other words, the HTTP Referer Header Web page can be used to check where visitors come from, and this is often the way to deal with forged cross-site requests.

650) this.width=650; "src=" http://img.blog.csdn.net/20160614144352918 "style=" border:none; "/>


What is an empty referer and when does an empty referer appear?

First, our definition of empty Referer is that the contents of the Referer header are empty, or that an HTTP request does not contain the Referer header at all.

So when does the HTTP request not contain the Referer field? According to the definition of referer, its function is to indicate where a request is to be linked, so when a request is not generated by a chain contact, it is not necessary to specify the source of the link for the request.

For example, to enter the URL address of a resource directly in the address bar of the browser, the request will not contain the Referer field, because this is a "generated from the Air" HTTP request, not from a place to link the past.

650) this.width=650; "src=" http://img.blog.csdn.net/20160614144420246 "style=" BORDER:NONE;LINE-HEIGHT:26PX; White-space:normal;color:rgb (54,46,43); Font-family:arial;font-size:14px;background-color:rgb (255,255,255); "/ >


In the anti-theft chain settings, what is the difference between allowing empty referer and not allowing empty referer?

In the anti-theft chain, if it is allowed to include empty referer, then access the resource URL directly through the browser address bar can be accessed;

However, if you do not allow empty referer, then direct access via the browser is also forbidden.

Operation Steps

1. Add Class file

Write a class file to determine if the header file is empty and the code is as follows:

  1. package com.fr.test;import java.io.ioexception;import java.io.printwriter;import  javax.servlet.filter;import javax.servlet.filterchain;import javax.servlet.filterconfig;import  javax.servlet.servletexception;import javax.servlet.servletrequest;import  javax.servlet.servletresponse;import javax.servlet.http.httpservletrequest;import  Javax.servlet.http.httpservletresponse;import javax.servlet.http.httpsession;public class dodo  implements filter {    public void destroy ()  {         // TODO Auto-generated method stub     }    public void dofilter (servletrequest request,  Servletresponse response, filterchain chain)     throws ioexception,  servletexception {    httpservletrequest req =  (httpservletrequest)  request;    HttpServletResponse resp =  ( HttpServletResponse)  response;    string referer = req.getheader (" Referer ")     //the following IP address is the normal page request     if (null != referer  &&  (Referer.trim () startsWith ("http://localhost:8033") | | Referer.trim (). StartsWith ("http://www.finereporthelp.com/test/hello.html")) {          system.out.println ("normal page request" +referer);          chain.dofilter (REQ, RESP);    //The following is the time to appear not the normal page request when the jump     }else{          system.out.println ("hotlinking" +referer);          req.getrequestdispatcher ("/ldaplogin.jsp"). Forward (REQ, RESP);     }}    public void init(filterconfig arg0)  throws ServletException {         // todo auto-generated method stub    }}

650) this.width=650; "src=" http://img.blog.csdn.net/20160614144659526 "style=" BORDER:NONE;LINE-HEIGHT:26PX; White-space:normal;color:rgb (54,46,43); Font-family:arial;font-size:14px;background-color:rgb (255,255,255); "/ >


Compile the Dodo.java into a class file and place it in the%tomcat_home%\webreport\web-inf\classes\com\fr\test directory.

650) this.width=650; "src=" http://img.blog.csdn.net/20160614145019593 "style=" BORDER:NONE;LINE-HEIGHT:26PX; White-space:normal;color:rgb (54,46,43); Font-family:arial;font-size:14px;background-color:rgb (255,255,255); "/ >


2. Modify the Web. xml file

Open the Web. xml file under%tomcat_home%\webapps\webreport\web-inf, configure a filtering filter, and execute the filter when the ReportServer occurs, with the following code:


650) this.width=650; "src=" http://img.blog.csdn.net/20160614145040874 "style=" BORDER:NONE;LINE-HEIGHT:26PX; White-space:normal;color:rgb (54,46,43); Font-family:arial;font-size:14px;background-color:rgb (255,255,255); "/ >




    1. <filter><filter-name>authfilter</filter-name><filter-class>com.fr.test.dodo</ filter-class></filter><filter-mapping><filter-name>authfilter</filter-name>< Url-pattern>/reportserver</url-pattern></filter-mapping>

Two steps can be done, if it belongs to Hotlinking, then jump to the above Ldaplogin error page, there is no ldaploign page, so jump directly 404. If you also want to implement data permissions, you can use a single sign-on or session injection method.

Effect test

Prepare two HTML files

Suppose hello.html is the correct URL



Suppose steal.html is Hotlinking's URL.



Situation One

Jump through hello.html, jump link is correct, that is, Referer is not empty and correct

650) this.width=650; "src=" http://img.blog.csdn.net/20160614145232705 "style=" BORDER:NONE;LINE-HEIGHT:26PX; White-space:normal;color:rgb (54,46,43); Font-family:arial;font-size:14px;background-color:rgb (255,255,255); "/ >650) this.width=650; "src=" http://img.blog.csdn.net/20160614145245627 "style=" BORDER:NONE;LINE-HEIGHT:26PX; White-space:normal;color:rgb (54,46,43); Font-family:arial;font-size:14px;background-color:rgb (255,255,255); "/ >


Situation Two

Jump via steal.html, skip link error, i.e. Referer not empty and error

650) this.width=650; "src=" http://img.blog.csdn.net/20160614145317922 "style=" BORDER:NONE;LINE-HEIGHT:26PX; White-space:normal;color:rgb (54,46,43); Font-family:arial;font-size:14px;background-color:rgb (255,255,255); "/ >650) this.width=650; "src=" http://img.blog.csdn.net/20160614145324437 "style=" BORDER:NONE;LINE-HEIGHT:26PX; White-space:normal;color:rgb (54,46,43); Font-family:arial;font-size:14px;background-color:rgb (255,255,255); "/ >


Situation Three

Direct access to the URL address, i.e. referer is empty

650) this.width=650; "src=" http://img.blog.csdn.net/20160614145438629 "style=" BORDER:NONE;LINE-HEIGHT:26PX; White-space:normal;color:rgb (54,46,43); Font-family:arial;font-size:14px;background-color:rgb (255,255,255); "/ >


Application examples of Java anti-theft chain in report

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.