Java Web項目經過filter限制IP訪問及路由攔截
背景
web開發中出於安全方面的考慮,對於後臺管理項目一般會對用戶訪問作限制,常見的作法是硬件上設置白名單,過濾掉不須要的IP訪問來保證管理平臺的安全。可是在硬件操做不方便的情形之下,就須要開發人員經過程序對訪問的IP進行限制,具體的實現方式可能會受到實際環境的影響而稍有不一樣,本文針對直接部署在tomcat下web項目(且無nginx或其餘形式作代理)作一下詳細說明。java
實現
思路梳理
首先在web.xml中配置相應的參數,而後自定義一個filter實現Filter接口:在子定義的filter裏面的init方法和doFilter方法進行處理。init方法中獲取web.xml中配置的容許訪問的IP白名單,並對其進行有效性驗證及格式處理,定義爲集合allow;doFilter方法中從請求中獲取請求來源的IP地址,驗證地址有效性,遍歷集合allow,比較獲取的來源IP是否在集合allow中存在,存在就放行,不存在response用數據流的形式返回「您的IP被限制訪問!」信息給訪問者,至此,IP限制部分介紹完畢。文中剩餘內容是對請求路由的限制實現,也可供參考。nginx
代碼實現
web.xml配置過濾器及IP白名單
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<display-name>Archetype Created Web Application</display-name>
<filter>
<filter-name>loginFilter</filter-name>
<filter-class>com.bjdata.oldsite.LoginFilter</filter-class>
<init-param>
<param-name>AllowIPList</param-name>
<param-value>
192.168.0.* ;
219.143.182.110 ;
192.168.20.140-192.168.20.205
</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>loginFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
自定義過濾器init()方法獲取定義白名單
package com.bjdata.oldsite;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.regex.Pattern;
/**
* @Auther:
* @Date:
* @Description:
*/
public class LoginFilter implements Filter {
// 容許的IP訪問列表
private Set<String> ipList = new HashSet<String>();
// IP的正則
private Pattern pattern = Pattern
.compile("(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\."
+ "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\."
+ "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\."
+ "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})");
@Override
public void init(FilterConfig filterConfig) throws ServletException {
// 從web.xml讀取參數
String allowIp = filterConfig.getInitParameter("AllowIPList");
// 轉換IP地址
init(allowIp);
System.err.println("Allow IP list:" + ipList);
}
/**
* 轉換IP地址的形式
* @param allowIp
*/
private void init(String allowIp) {
// 192.168.0.*轉換爲192.168.0.1-192.168.0.255
for (String allow : allowIp.replaceAll("\\s", "").split(";")) {
if (allow.indexOf("*") > -1) {
String[] ips = allow.split("\\.");
String[] from = new String[]{"0", "0", "0", "0"};
String[] end = new String[]{"255", "255", "255", "255"};
List<String> tem = new ArrayList<>();
for (int i = 0; i < ips.length; i++) {
if (ips[i].indexOf("*") > -1) {
tem = complete(ips[i]);
from[i] = null;
end[i] = null;
}else {
from[i] = ips[i];
end[i] = ips[i];
}
}
StringBuilder fromIP = new StringBuilder();
StringBuilder endIP = new StringBuilder();
for (int i = 0; i < 4; i++) {
if (from[i] != null) {
fromIP.append(from[i]).append(".");
endIP.append(end[i]).append(".");
}else {
fromIP.append("[*].");
endIP.append("[*].");
}
}
fromIP.deleteCharAt(fromIP.length() - 1);
endIP.deleteCharAt(endIP.length() - 1);
for (String s : tem) {
String ip = fromIP.toString().replace("[*]",
s.split(";")[0])
+ "-"
+ endIP.toString().replace("[*]", s.split(";")[1]);
if (validate(ip)) {
ipList.add(ip);
}
}
}else {
if (validate(allow)) {
ipList.add(allow);
}
}
}
}
/**
* 在添加至白名單時進行格式校驗
* @param allow
* @return
*/
private boolean validate(String allow) {
for (String s : allow.split("-")){
if (!pattern.matcher(s).matches()) {
return false;
}
}
return true;
}
/**
* 對單個IP節點進行範圍限定
* @param ip
* @return 返回限定後的IP範圍,格式爲List[10;19, 100;199]
*/
private List<String> complete(String ip) {
List<String> com = new ArrayList<>();
if (ip.length() == 1) {
com.add("0;255");
}else if (ip.length() == 2) {
String s1 = complete(ip, 1);
if (s1 != null){
com.add(s1);
}
String s2 = complete(ip, 2);
if (s2 != null) {
com.add(s2);
}
}else {
String s1 = complete(ip, 1);
if (s1 != null) {
com.add(s1);
}
}
return com;
}
/**
* 字符串格式處理
* @param ip
* @param length
* @return
*/
private String complete(String ip, int length) {
String from = "";
String end = "";
if (length == 1) {
from = ip.replace("*", "0");
end = ip.replace("*", "9");
}else{
from = ip.replace("*", "00");
end = ip.replace("*", "99");
}
if (Integer.valueOf(from) > 255){
return null;
}
if (Integer.valueOf(end) > 255) {
end = "255";
}
return from + ";" + end;
}
}
自定義過濾器doFilter()方法獲取請求IP並驗證是否屬於白名單
package com.bjdata.oldsite;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.regex.Pattern;
/**
* @Auther:
* @Date:
* @Description:
*/
public class LoginFilter implements Filter {
// 容許的IP訪問列表
private Set<String> ipList = new HashSet<String>();
// IP的正則
private Pattern pattern = Pattern
.compile("(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\."
+ "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\."
+ "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\."
+ "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})");
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest)servletRequest;
HttpServletResponse response = (HttpServletResponse)servletResponse;
// 登陸IP控制
String ip = request.getRemoteAddr();
InetAddress inet = null;
try {
inet = InetAddress.getLocalHost();
if (ip.equals("127.0.0.1")){
ip = inet.getHostAddress();
}
} catch (UnknownHostException e) {
e.printStackTrace();
}
if (!checkLoginIP(ip)) {
response.getOutputStream().write(("您的IP被限制訪問!").getBytes());
/*response.getOutputStream().write((ip + "ip forbidden.").getBytes());*/
response.getOutputStream().flush();
return;
}
// 登陸路由控制
String requestURI = request.getRequestURI();
System.out.println(requestURI);
if(request.getRequestURI().indexOf("login.jsp")<0 && !requestURI.equals("/oldSite/getValidateCode.jsp")){
HttpSession session = request.getSession();
String sessionKey = (String)session.getAttribute("sessionKey");
if(sessionKey==null){
response.sendRedirect("login.jsp");
}
}
// 放行
filterChain.doFilter(request,response);
}
/**
* 檢查IP是不是容許的IP
* @param ip
* @return
*/
private boolean checkLoginIP(String ip) {
if (ipList.isEmpty() || ipList.contains(ip)) {
return true;
}else{
for (String allow : ipList) {
if (allow.indexOf("-") > -1){
String[] from = allow.split("-")[0].split("\\.");
String[] end = allow.split("-")[1].split("\\.");
String[] tag = ip.split("\\.");
// 對IP從左到右進行逐段匹配
boolean check = true;
for (int i = 0; i < 4; i++) {
int s = Integer.valueOf(from[i]);
int t = Integer.valueOf(tag[i]);
int e = Integer.valueOf(end[i]);
if (!(s <= t && t <= e)) {
check = false;
break;
}
}
if (check) {
return true;
}
}
}
}
return false;
}
}
自定義Filter中全部代碼摘錄以下
package com.bjdata.oldsite;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.regex.Pattern;
/**
* @Auther:
* @Date:
* @Description:
*/
public class LoginFilter implements Filter {
// 容許的IP訪問列表
private Set<String> ipList = new HashSet<String>();
// IP的正則
private Pattern pattern = Pattern
.compile("(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\."
+ "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\."
+ "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\."
+ "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})");
@Override
public void init(FilterConfig filterConfig) throws ServletException {
// 從web.xml讀取參數
String allowIp = filterConfig.getInitParameter("AllowIPList");
// 轉換IP地址
init(allowIp);
System.err.println("Allow IP list:" + ipList);
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest)servletRequest;
HttpServletResponse response = (HttpServletResponse)servletResponse;
// 登陸IP控制
String ip = request.getRemoteAddr();
InetAddress inet = null;
try {
inet = InetAddress.getLocalHost();
if (ip.equals("127.0.0.1")){
ip = inet.getHostAddress();
}
} catch (UnknownHostException e) {
e.printStackTrace();
}
if (!checkLoginIP(ip)) {
response.getOutputStream().write(("您的IP被限制訪問!").getBytes());
/*response.getOutputStream().write((ip + "ip forbidden.").getBytes());*/
response.getOutputStream().flush();
return;
}
// 登陸路由控制
String requestURI = request.getRequestURI();
System.out.println(requestURI);
if(request.getRequestURI().indexOf("login.jsp")<0 && !requestURI.equals("/oldSite/getValidateCode.jsp")){
HttpSession session = request.getSession();
String sessionKey = (String)session.getAttribute("sessionKey");
if(sessionKey==null){
response.sendRedirect("login.jsp");
}
}
// 放行
filterChain.doFilter(request,response);
}
@Override
public void destroy() {
}
/**
* 轉換IP地址的形式
* @param allowIp
*/
private void init(String allowIp) {
// 192.168.0.*轉換爲192.168.0.1-192.168.0.255
for (String allow : allowIp.replaceAll("\\s", "").split(";")) {
if (allow.indexOf("*") > -1) {
String[] ips = allow.split("\\.");
String[] from = new String[]{"0", "0", "0", "0"};
String[] end = new String[]{"255", "255", "255", "255"};
List<String> tem = new ArrayList<>();
for (int i = 0; i < ips.length; i++) {
if (ips[i].indexOf("*") > -1) {
tem = complete(ips[i]);
from[i] = null;
end[i] = null;
}else {
from[i] = ips[i];
end[i] = ips[i];
}
}
StringBuilder fromIP = new StringBuilder();
StringBuilder endIP = new StringBuilder();
for (int i = 0; i < 4; i++) {
if (from[i] != null) {
fromIP.append(from[i]).append(".");
endIP.append(end[i]).append(".");
}else {
fromIP.append("[*].");
endIP.append("[*].");
}
}
fromIP.deleteCharAt(fromIP.length() - 1);
endIP.deleteCharAt(endIP.length() - 1);
for (String s : tem) {
String ip = fromIP.toString().replace("[*]",
s.split(";")[0])
+ "-"
+ endIP.toString().replace("[*]", s.split(";")[1]);
if (validate(ip)) {
ipList.add(ip);
}
}
}else {
if (validate(allow)) {
ipList.add(allow);
}
}
}
}
/**
* 在添加至白名單時進行格式校驗
* @param allow
* @return
*/
private boolean validate(String allow) {
for (String s : allow.split("-")){
if (!pattern.matcher(s).matches()) {
return false;
}
}
return true;
}
/**
* 對單個IP節點進行範圍限定
* @param ip
* @return 返回限定後的IP範圍,格式爲List[10;19, 100;199]
*/
private List<String> complete(String ip) {
List<String> com = new ArrayList<>();
if (ip.length() == 1) {
com.add("0;255");
}else if (ip.length() == 2) {
String s1 = complete(ip, 1);
if (s1 != null){
com.add(s1);
}
String s2 = complete(ip, 2);
if (s2 != null) {
com.add(s2);
}
}else {
String s1 = complete(ip, 1);
if (s1 != null) {
com.add(s1);
}
}
return com;
}
/**
* 字符串格式處理
* @param ip
* @param length
* @return
*/
private String complete(String ip, int length) {
String from = "";
String end = "";
if (length == 1) {
from = ip.replace("*", "0");
end = ip.replace("*", "9");
}else{
from = ip.replace("*", "00");
end = ip.replace("*", "99");
}
if (Integer.valueOf(from) > 255){
return null;
}
if (Integer.valueOf(end) > 255) {
end = "255";
}
return from + ";" + end;
}
/**
* 檢查IP是不是容許的IP
* @param ip
* @return
*/
private boolean checkLoginIP(String ip) {
if (ipList.isEmpty() || ipList.contains(ip)) {
return true;
}else{
for (String allow : ipList) {
if (allow.indexOf("-") > -1){
String[] from = allow.split("-")[0].split("\\.");
String[] end = allow.split("-")[1].split("\\.");
String[] tag = ip.split("\\.");
// 對IP從左到右進行逐段匹配
boolean check = true;
for (int i = 0; i < 4; i++) {
int s = Integer.valueOf(from[i]);
int t = Integer.valueOf(tag[i]);
int e = Integer.valueOf(end[i]);
if (!(s <= t && t <= e)) {
check = false;
break;
}
}
if (check) {
return true;
}
}
}
}
return false;
}
}
相關文章
- 1. 路由導航守衛(路由攔截器)控制頁面訪問權限
- 2. 路由攔截
- 3. Java Filter(攔截器)
- 4. nginx 經過IP訪問項目
- 5. Java經過redis實現接口ip訪問頻率限制
- 6. Flutter 路由攔截
- 7. Java Web 項目訪問路徑
- 8. shiro 訪問項目根路徑不攔截
- 9. vue 路由攔截、axios請求攔截
- 10. java登陸攔截Filter
- 更多相關文章...
- • Swift 訪問控制 - Swift 教程
- • Maven 構建 Java 項目 - Maven教程
- • Docker容器實戰(六) - 容器的隔離與限制
- • ☆技術問答集錦(13)Java Instrument原理
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. 路由導航守衛(路由攔截器)控制頁面訪問權限
- 2. 路由攔截
- 3. Java Filter(攔截器)
- 4. nginx 經過IP訪問項目
- 5. Java經過redis實現接口ip訪問頻率限制
- 6. Flutter 路由攔截
- 7. Java Web 項目訪問路徑
- 8. shiro 訪問項目根路徑不攔截
- 9. vue 路由攔截、axios請求攔截
- 10. java登陸攔截Filter