The basic principle and realization of anti-theft chain

My implementation of the chain of anti-theft practices, but also refer to the predecessor of the article. The basic principle is just one sentence: by judging whether the refer of request requests originates from this site. (The request header, of course, is from the client, is spoofed, and is not available for discussion in this article). First we go to understand what is the HTTP Referer. In short, HTTP Referer is part of the header, and when the browser sends a request to the Web server, it usually takes a referer to tell the server where I came from, and the server can get some information for processing. For example, from my home page to link to a friend there, his server can be from the HTTP Referer to count the number of users per day to click on my home page links to visit his site. (Note: The site used in this article is assumed to take http://blog.csdn.net as an example)
If we are going to access resources: Http://blog.csdn.net/Beacher_Ma has two scenarios:
1. We enter the URL directly in the browser. Then the HTTP Referer for the request is null
2. If we are in other pages, by clicking on a link such as a http://blog.csdn.net/Beacher_Ma on http://www.csdn.net, then the HTTP Referer for the request is http:// Www.csdn.net know the above principle, we can use the filter to achieve this anti-theft chain function. There are many ways to do this on the Internet, and I'm doing it with the right way, and I'm relatively flexible, and I've followed Spring's filter and added a shouldbefilter approach, considering, for example, if you're going to intercept. Part of the action method, not all, we can first look at the request URL is shouldbefilter, if not, then direct release, the efficiency has been improved. Nonsense not to say, directly on the code bar.

Anti-Theft chain Filter public class Preventlinkfilter implements filter {private static Logger Logger = Loggerfactory
    . GetLogger (Preventlinkfilter.class);
    Restrict access to address lists regular private static list<pattern> Urllimit = new arraylist<pattern> ();
    Allow access list private static list<string> Urlallow = new arraylist<string> ();

    Error address List private static String Urlerror = "";
       Request for filter must be protected Boolean shouldbefilter (HttpServletRequest request) throws Servletexception {
       String path = Request.getservletpath ();
           for (int i = 0; i < urllimit.size (); i++) {Matcher m = urllimit.get (i). Matcher (path);
              if (M.matches ()) {logger.debug ("current path is {}" + path + "must be Filtered");
           return true;
    return false; public void Destroy () {//TODO auto-generated method stub} public void Dofilter (ServletRequest r Equest, Servletresponse Res.Ponse, Filterchain chain) throws IOException, servletexception {httpservletrequest HttpRequest = (HttpS
       ervletrequest) Request;
       HttpServletResponse HttpResponse = (httpservletresponse) response;
       if (null = = HttpRequest | | null = = HttpResponse) {return;
           //release of the Path if (!shouldbefilter (HttpRequest)) {Chain.dofilter (request, response) that does not conform to the interception regular;
       Return
       String Requestheader = Httprequest.getheader ("Referer");
           if (null = = Requestheader) {httpresponse.sendredirect (urlerror);
       Return
              for (int i = 0; i < urlallow.size (); i++) {if (Requestheader.startswith (Urlallow.get (i))) {
              Chain.dofilter (HttpRequest, HttpResponse);
           Return
       } httpresponse.sendredirect (Urlerror);
    Return } public void init (Filterconfig FC) throws Servletexception {Logger.debug ("anti-theft chain configuration started.").");
       String filename; try {filename = Fc.getservletcontext (). Getrealpath ("/web-inf/classes/preventlink.properties
           ");
           File F = new file (filename);
           InputStream is = new FileInputStream (f);
           Properties pp = new properties ();
           Pp.load (IS);
           Restricted access address regular String limit = Pp.getproperty ("Url.limit");
           Parse the string, turn it into a regular, and place it in the Urllimit list parseregx (limit);
           Unrestricted request header String allow = Pp.getproperty ("Url.allow");
           Place all access-allowed request headers in the Urlallow list urlallow = Parsestr (Urlallow, allow);
       Urlerror = Pp.getproperty ("Url.error");
       catch (Exception e) {e.printstacktrace ();
           } private void Parseregx (String str) {if (null!= str) {string[] SPL = Str.split (","); if (null!= SPL) {for (int i = 0; i < Spl.length, i++) {pattern P = pattern. COmpile (Spl[i].trim ());
              Urllimit.add (P); '}} ' private list<string> parsestr (list<string> li, String str) {if (nul L = = str | |
       Str.trim (). Equals ("")) {return null;
       string[] SPL = Str.split (",");
       if (null!= SPL && spl.length > 0) {li = Arrays.aslist (SPL);
    return Li; }
}

File/web-inf/classes/preventlink.properties
The URL for the limit is regular, separated by commas (where I intercepted a
/CSDN/INDEX!BEACHER_MA.ACTION,/CSDN/INDEX!BEACHER_MA.ACTION?ADSFDF)
url.limit=/.+/index/!. +//.action.*,/index/!. +.action? +
This is whether the HTTP refer starts with the specified prefix, and the first two are local debugging.
Url.allow=http://127.0.0.1,http://localhost,http://www.csdn.net
Here is the error page after being hotlinking response to the following
Url.error=http://www.csdn.net/error.html
Reference article: http://shen198623.javaeye.com/blog/243330
This article is to intercept all requests, he fileter in the Url-pattern is/*, so, even/css/jpg, etc. are intercepted by filter, or in the inside of Shouldbefilter judgment, or in the url-pattern abbreviation intercept range, this depends on the specific you want to intercept what kind of request, another picture anti-theft chain, download anti-hotlinking is the same principle.

http://blog.csdn.net/beacher_ma/article/details/5559739