Spring Boot 防止接口被惡意刷新、暴力請求
?在實際項目使用中,必須要考慮服務的安全性,當服務部署到互聯網以后,就要考慮服務被惡意請求和暴力攻擊的情況,下面的教程,通過Spring Boot提供的HandlerInterceptor和Redis 針對 Url + ip在一定時間內訪問的次數來將ip禁用,可以根據自己的業務需求進行相應的修改,以達到自己的目的。
首先創建一個自定義的攔截器類,也是最核心的代碼。
/**
* @ProjectName: cdkj-framework
* @Package: com.cdkjframework.core.spring.filter
* @ClassName: FilterHandlerInterceptor
* @Description: 攔截過濾
* @Author: xiaLin
* @Date: 2022/6/22 13:36
* @Version: 1.0
*/
public class FilterHandlerInterceptor implements HandlerInterceptor {
/**
* 日志
*/
private LogUtils logUtils = LogUtils.getLogger(FilterHandlerInterceptor.class);
/**
* redis鎖
*/
private final RedisLettuceLock redisLettuceLock;
/**
* IP頭部變量(可能通過Nginx代理后)
*/
private static final String HEADER_IP = "X-Real-IP";
/**
* 鎖IP請求URL地址KEY
*/
private static final String LOCK_IP_URL_KEY = "lock_ip_";
/**
* IP請求URL地址時間
*/
private static final String IP_URL_REQ_TIME = "ip_url_times_";
/**
* 極限時間
*/
private static final long LIMIT_TIMES = 5;
/**
* IP鎖定時間 秒
*/
private static final int IP_LOCK_TIME = 60;
/**
* 構建函數
*/
public FilterHandlerInterceptor(RedisLettuceLock redisLettuceLock) {
this.redisLettuceLock = redisLettuceLock;
}
/**
* 預處理
*
* @param request 請求
* @param response 響應
* @param o 參數
* @return 返回結果
* @throws Exception 異常信息
*/
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object o) throws Exception {
String ip = request.getHeader(HEADER_IP);
if (StringUtils.isNullAndSpaceOrEmpty(ip)) {
ip = request.getRemoteAddr();
}
logUtils.info("request 請求地址 Uri={},ip={}", request.getRequestURI(), ip);
if (ipIsLock(ip)) {
logUtils.info("ip訪問被禁止={}", ip);
ResponseBuilder builder = ResponseBuilder.failBuilder("ip訪問被禁止");
returnJson(response, builder);
return false;
}
if (!addRequest(ip, request.getRequestURI())) {
ResponseBuilder builder = ResponseBuilder.failBuilder("ip訪問被禁止");
returnJson(response, builder);
return false;
}
return true;
}
@Override
public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception {
}
@Override
public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception {
}
/**
* IP 是否已鎖
*
* @param ip IP 地址
* @return 返回是否成功
*/
private Boolean ipIsLock(String ip) {
if (redisLettuceLock.lock(LOCK_IP_URL_KEY + ip)) {
return true;
}
return false;
}
/**
* 添加請求信息
*
* @param ip IP 地址
* @param uri 請求路徑
* @return 返回是否成功
*/
private Boolean addRequest(String ip, String uri) {
String key = IP_URL_REQ_TIME + ip + uri;
if (RedisUtils.syncExists(key)) {
long time = RedisUtils.syncIncr(key, IntegerConsts.ONE);
if (time >= LIMIT_TIMES) {
redisLettuceLock.lock(LOCK_IP_URL_KEY + ip, IP_LOCK_TIME, ip);
return false;
}
} else {
redisLettuceLock.lock(key, (long) IntegerConsts.ONE, IntegerConsts.ONE);
}
return true;
}
/**
* 返回結果
*
* @param response 響應
* @param builder 返回結果
* @throws Exception 異常信息
*/
private void returnJson(HttpServletResponse response, ResponseBuilder builder) throws Exception {
ResponseUtils.out(response, builder);
}
}
最后將上面自定義的攔截器通過WebMvcConfigurer下的registry.addInterceptor添加一下,就生效了。
/**
* @ProjectName: cdkj-framework
* @Package: com.cdkjframework.core.spring.filter
* @ClassName: WebMvcFilterConfigurerAdapter
* @Description: java類作用描述
* @Author: xiaLin
* @Date: 2022/6/22 13:37
* @Version: 1.0
*/
@RequiredArgsConstructor
public class WebMvcFilterConfigurerAdapter implements WebMvcConfigurer {
/**
* redis鎖
*/
private final RedisLettuceLock redisLettuceLock;
/**
* 過慮句柄攔截器
*
* @return 返回攔截器
*/
@Bean
private FilterHandlerInterceptor filterHandlerInterceptor() {
return new FilterHandlerInterceptor(redisLettuceLock);
}
/**
* 添加 攔截器
*
* @param registry 攔截器注冊
*/
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(filterHandlerInterceptor()).addPathPatterns("/**");
}
}
自己可以寫一個for循環來測試改功能,這里就不具體詳細介紹了。
文章中的工具類可參考:https://gitee.com/cdkjframework/common/tree/1.0.2/
浙公網安備 33010602011771號