跨站点请求伪造 CSRF攻击

安全测评测出一下问题：

以下是我的代码解决方案：

1、写好一个类，给它命名为CSRFilter.java

package com.xr.modules.sys.utils;

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
 
/**
 * 跨站点请求伪造 CSRF攻击
 * @author ChenJZ
 *
 */
public class CSRFilter implements Filter {
    
    private String[] verifyReferer = null;
    
    @Override
    public void destroy() {
        
    }
 
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        String referer = ((HttpServletRequest)request).getHeader("Referer"); 
        boolean b = false;
        for(String vReferer : verifyReferer){
            if(referer==null || referer.trim().startsWith(vReferer)){
                b = true;
                chain.doFilter(request, response);
                break;
            }
        }
        if(!b){
            System.out.println("疑似CSRF攻击，referer:"+referer);
        }
    }
 
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        String referer = filterConfig.getInitParameter("referer");
        this.verifyReferer = referer.split(",");
    }
 
}
 

2、配置web.xml

<!-- 跨站点请求伪造 CSRF攻击 -->
  <filter>
     <filter-name>CSRFilter</filter-name>
     <filter-class>com.xr.modules.sys.utils.CSRFilter</filter-class>
     <init-param>
           <param-name>referer</param-name>
           <param-value>http://localhost,http://127.0.0.1</param-value>
     </init-param>
  </filter>
  <filter-mapping>
     <filter-name>CSRFilter</filter-name>
     <url-pattern>/*</url-pattern>
  </filter-mapping>