我有一个类似的要求,保护我的 Ajax 资源 - 不是从浏览器地址栏调用,而是通过 AJAX 请求,基本上是 XMLHTTPRequest。
编写了一个 AjaxOnlyFilter,它在字符串数组中查找 URL 映射,如果匹配,则检查是否存在“X-Requested-With”标头。
如果标头不存在或值与值“XMLHttpRequest”不匹配,则在 requestDispatcher 上调用转发到错误页面或设置 400 状态。
private String[] mappings = { "/model", "/records" , "/update" , "/insert", "/delete"};
public boolean urlContainsMappingsFromAJAXList(String url)
{
for(int i =0; i < mappings.length; i++)
{
if(url.contains(mappings[i]))
{
return true;
}
}
return false;
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
StringBuffer requestURL = httpServletRequest.getRequestURL();
if(urlContainsMappingsFromAJAXList(requestURL.toString())){
String requestedWithHeader = httpServletRequest.getHeader("X-Requested-With");
//if X-Requested-With header is not XMLHttpRequest
if(requestedWithHeader==null || (!requestedWithHeader.equalsIgnoreCase("xmlhttprequest"))){
LOGGER.debug("Not a AJAX request, redirection to error page");
httpServletRequest.getRequestDispatcher("error404.jsp").forward(request, response);
return;
}
//else continue with filter chain
}
//else continue with filter chain
// pass the request along the filter chain
filterChain.doFilter(request, response);
}