Today we will talk about Java anti-theft links. It is useless to talk more about it, and we will directly use the application cases.
The tool used here is the reporting software FineReport, which is equipped with a decision-making system (a web front-end display system, mainly used for permission control), and can use Java anti-theft link to achieve page permissions.
When directly entering the report URL in the browser, its header file is empty. Therefore, you can make two judgments when accessing: whether the header file is empty and which page to jump to, and if it does not match, just jump to the error page.
What is a Referer?
The Referer here refers to a field in the HTTP header, also known as the HTTP source address (HTTP Referer), which is used to indicate where to link to the current web page, and the format is URL. In other words, the HTTP Referer header web page can check where visitors come from, which is often used to deal with fake cross-site requests.
What is an empty Referer and when will an empty Referer appear?
First, we define empty Referer as the content of the Referer header is empty, or a HTTP request does not contain the Referer header at all.
So when will HTTP requests not include the Referer field? According to the definition of Referer, its function is to indicate where a request is linked. When a request is not generated by a link contact, there is naturally no need to specify the link source of the request.
For example, if you directly enter the URL address of a resource in the browser's address bar, then this request will not include the Referer field, because this is an HTTP request "generated out of thin air" and is not linked from one place.
In the anti-theft chain setting, what is the difference between allowing empty Referer and not allowing empty Referer?
In the anti-theft chain, if an empty Referer is allowed, it is possible to directly access the resource URL through the browser address bar;
However, if empty Referer is not allowed, direct access through the browser is also prohibited.
Operation steps
1. Add class file
Write a class file to determine whether the header file is empty, the code is as follows:
package com.fr.test;import java.io.IOException;import java.io.PrintWriter;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;public class Dodo implements Filter { public void destroy() { // TODO Auto-generated method stub } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse resp = (HttpServletResponse) response; String referer = req.getHeader("referer"); //The IP address below is a normal page request if(null != referer && (referer.trim().startsWith("http://localhost:8033")||referer.trim().startsWith("http://www.finereporthelp.com/test/hello.html")))){ System.out.println("normal page request"+referer); chain.doFilter(req, resp); //The following is to jump when a request for the page is not normal}else{ System.out.println("Chain Steal"+referer); req.getRequestDispatcher("/LdapLogin.jsp").forward(req, resp); }} public void init(FilterConfig arg0) throws ServletException { // TODO Auto-generated method stub }}Compile Dodo.java into class file and place it in the %TOMCAT_HOME%/WebReport/WEB-INF/classes/com/fr/test directory.
2. Modify the web.xml file
Open the web.xml file under %TOMCAT_HOME%/webapps/WebReport/WEB-INF, configure a filter filter, and execute filtering when ReportServer appears. The code is as follows:
<filter><filter-name>AuthFilter</filter-name><filter-class>com.fr.test.Dodo</filter-class></filter><filter-mapping><filter-name>AuthFilter</filter-name><url-pattern>/ReportServer</url-pattern></filter-mapping>
It can be done in two steps. If it is a link stolen, it will jump to the above-mentioned LdapLogin error page. There is no LdapLoign page here, so it will jump directly to 404. If you want to implement data permissions, you can use single sign-on or session injection.
Effectiveness test
Prepare two html files
Assume hello.html is the correct URL
<html><body><p>Test</p><a href="http://localhost:8033/WebReport/ReportServer?reportlet=demo%2Fnewchart%2Fothers%2FLogarithmic_axis.cpt&op=write">Anti-theft chain test</a></body><html>
Assume that steel.html is the URL for stealing links
<html><body><p>Test, wrong link address</p><a href="http://localhost:8033/WebReport/ReportServer?reportlet=demo%2Fnewchart%2Fothers%2FLogarithmic_axis.cpt&op=write">Anti-theft chain test</a></body></html>
Situation 1
Jump through hello.html, the jump link is correct, that is, the referer is not empty and correct
Situation 2
Jump through steel.html, jump link is wrong, that is, referer is not empty and error
Situation Three
Direct access to the URL address, that is, referer is empty
The above example of the application of Java anti-theft chain in the report (recommended) is all the content I share with you. I hope you can give you a reference and I hope you can support Wulin.com more.