The application example of the Java anti-theft chain in the report (recommended) _java

Today we come to talk about the Java anti-theft chain, many say useless, directly on the application case.

The tool used here is the report software Finereport, with a decision system (a Web front-end display system, mainly for permission control), you can use the Java anti-theft chain way to achieve page permissions.

In the browser directly input the report URL, its header file is empty, so you can make two judgments when visiting: header file is empty and what page to jump, if not meet the wrong page to jump.

What is Referer?

The Referer here refers to a field in the HTTP header, also known as the HTTP Source address (HTTP Referer), which indicates where to link to the current page, in the form of a URL. In other words, by using the HTTP Referer header page to check where visitors come from, this is often used to deal with bogus cross-site requests.

What is an empty referer and when will there be an empty referer?

First, we define the null Referer as the contents of the Referer header are empty, or the Referer headers are not included in an HTTP request.

So when do HTTP requests not contain referer fields? According to the definition of referer, its function is to indicate where a request is to be received from, so when a request is not generated by a chain contact, then naturally there is no need to specify the source of the link for the request.

For example, if you enter the URL of a resource directly in the browser's address bar, the request will not contain the Referer field because it is an "out of thin Air" HTTP request, not a link from one place to the past.

What is the difference between allowing an empty referer and not allowing an empty referer in an anti-theft chain setting?

In the anti-theft chain, if you allow empty referer, access to the resource URL directly through the browser address bar is accessible;

However, if you do not allow empty referer to be included, direct access through the browser is also prohibited.

Operation Steps

1. Add Class file

Write a class file to determine whether the header file is empty, as follows:

Package com.fr.test;
Import java.io.IOException;

Import Java.io.PrintWriter;
Import Javax.servlet.Filter;
Import Javax.servlet.FilterChain;
Import Javax.servlet.FilterConfig;
Import javax.servlet.ServletException;
Import Javax.servlet.ServletRequest;
Import Javax.servlet.ServletResponse;
Import Javax.servlet.http.HttpServletRequest;
Import Javax.servlet.http.HttpServletResponse;

Import javax.servlet.http.HttpSession;  public class Dodo implements Filter {public void Destroy () {//TODO auto-generated ' stub} public void
  Dofilter (ServletRequest request, servletresponse response, Filterchain chain) throws IOException, Servletexception {
  HttpServletRequest req = (httpservletrequest) request;
  HttpServletResponse resp = (httpservletresponse) response;
  String referer = Req.getheader ("Referer"); The following IP address is the normal page request if (null!= referer && (Referer.trim (). StartsWith ("http://localhost:8033") | | Referer.trim (). StartsWith ("Http://www.finereporthelp.com/test/helLo.html ")) {System.out.println (" normal page request "+referer);
  Chain.dofilter (req, resp);
     The following is the appearance is not a normal page request when the jump}else{System.out.println ("hotlinking" +referer);
  Req.getrequestdispatcher ("/ldaplogin.jsp"). Forward (req, resp); } public void init (Filterconfig arg0) throws Servletexception {//TODO auto-generated method stub}}

Compile the Dodo.java into a class file and place it in the%tomcat_home%\webreport\web-inf\classes\com\fr\test directory.

2. Modify Web.xml File

Open the%tomcat_home%\webapps\webreport\web-inf under the Web.xml file, configure a filtering filter, in the presence of ReportServer to perform filtering, the code is as follows:

<filter>
<filter-name>AuthFilter</filter-name>
<filter-class>com.fr.test.dodo </filter-class></filter>
<filter-mapping>
<filter-name>authfilter</ filter-name>
<url-pattern>/ReportServer</url-pattern>
</filter-mapping>

Two steps can be done, if belong to Hotlinking, then jump to the above Ldaplogin error page, there is no ldaploign page, so direct jump 404. If you also want to implement data permissions, you can use a single sign-on or session injection method.

Effect test

Prepare two HTML files

Assuming hello.html is the correct URL

Suppose steal.html is Hotlinking's URL.

Situation One

Through hello.html jump, the jump link is correct, that is, Referer is not empty and correct

Situation Two

Through steal.html jump, jump link error, that is, Referer is not empty and error

Situation Three

Direct access URL address, that is, Referer is empty

Above the Java anti-theft chain in the report of the application of the example (recommended) is a small series to share all the content, hope to give you a reference, but also hope that we support the cloud habitat community.