diy csrf error code

JoyChou93 · JoyChou93 · commit 86d2551b2e45 · 2019-06-10T20:17:37.000+08:00
diff --git a/src/main/java/org/joychou/CsrfAccessDeniedHandler.java b/src/main/java/org/joychou/CsrfAccessDeniedHandler.java
@@ -0,0 +1,26 @@
+package org.joychou;
+
+
+import org.springframework.http.MediaType;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.web.access.AccessDeniedHandler;
+
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class CsrfAccessDeniedHandler implements AccessDeniedHandler {
+
+
+    @Override
+    public void handle(HttpServletRequest request, HttpServletResponse response,
+                       AccessDeniedException accessDeniedException) throws IOException, ServletException {
+        response.setContentType(MediaType.TEXT_HTML_VALUE);
+        response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+        response.getWriter().write("CSRF check failed by JoyChou.");
+    }
+
+}
+
diff --git a/src/main/java/org/joychou/WebSecurityConfig.java b/src/main/java/org/joychou/WebSecurityConfig.java
@@ -6,7 +6,6 @@
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 import org.springframework.security.web.util.matcher.RequestMatcher;
-
 import javax.servlet.http.HttpServletRequest;
 import java.util.Arrays;
 import java.util.HashSet;
@@ -38,6 +37,7 @@ protected void configure(HttpSecurity http) throws Exception {
                 .requireCsrfProtectionMatcher(csrfRequestMatcher)
                 .ignoringAntMatchers("/xxe/**", "/fastjon/**")  // 不进行csrf校验的uri，多个uri使用逗号分隔
                 .csrfTokenRepository(new CookieCsrfTokenRepository());
+        http.exceptionHandling().accessDeniedHandler(new CsrfAccessDeniedHandler());
         // http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
     }
 }
diff --git a/src/main/java/org/joychou/controller/URLWhiteList.java b/src/main/java/org/joychou/controller/URLWhiteList.java
@@ -115,8 +115,7 @@ public String urlVul(HttpServletRequest request) throws Exception{
         }
     }
 
-
-    // 安全代码
+    // 利用InternetDomainName库获取一级域名的安全代码 (一级域名白名单)
     @RequestMapping("/seccode")
     @ResponseBody
     public String seccode(HttpServletRequest request) throws Exception{
@@ -141,4 +140,73 @@ public String seccode(HttpServletRequest request) throws Exception{
             return "URL is illegal";
         }
     }
+
+    /**
+     * @desc 自定义一级域名白名单
+     * @usage http://localhost:8080/url/seccode1?url=http://aa.taobao.com
+     * @param request
+     * @return
+     * @throws Exception
+     */
+    @RequestMapping("/seccode1")
+    @ResponseBody
+    public String seccode1(HttpServletRequest request) throws Exception{
+
+        // 定义一级域名白名单list，用endsWith加上.判断
+        String whiteDomainlists[] = {"taobao.com", "tmall.com"};
+
+        String url = request.getParameter("url");
+        System.out.println("url:  " + url);
+        URI uri = new URI(url);
+        URL u = new URL(url);
+        // 判断是否是http(s)协议
+        if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
+            return "URL is not http or https";
+        }
+        // 使用uri获取host
+        String host = uri.getHost().toLowerCase();
+        System.out.println("host:  " + host);
+
+        for (String domain: whiteDomainlists){
+            if (host.endsWith("." + domain)) {
+                return "good url";
+            }
+        }
+
+        return "bad url";
+    }
+
+    /**
+     * @desc 自定义多级域名白名单
+     * @usage http://localhost:8080/url/seccode2?url=http://ccc.bbb.taobao.com
+     * @param request
+     * @return
+     * @throws Exception
+     */
+    @RequestMapping("/seccode2")
+    @ResponseBody
+    public String seccode2(HttpServletRequest request) throws Exception{
+
+        // 定义多级域名白名单，判断使用equals
+        String whiteDomainlists[] = {"aaa.taobao.com", "ccc.bbb.taobao.com"};
+
+        String url = request.getParameter("url");
+        System.out.println("url:  " + url);
+        URI uri = new URI(url);
+        URL u = new URL(url);
+        // 判断是否是http(s)协议
+        if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
+            return "URL is not http or https";
+        }
+        // 使用uri获取host
+        String host = uri.getHost().toLowerCase();
+        System.out.println("host:  " + host);
+
+        for (String domain: whiteDomainlists){
+            if (host.equals(domain)) {
+                return "good url";
+            }
+        }
+        return "bad url";
+    }
 }
