Java Web專案通過filter限制IP訪問及路由攔截
阿新 • • 發佈:2019-06-19
背景
web開發中出於安全方面的考慮,對於後臺管理專案通常會對使用者訪問做限制,常見的做法是硬體上設定白名單,過濾掉不需要的IP訪問來保證管理平臺的安全。但是在硬體操作不方便的情形之下,就需要開發人員通過程式對訪問的IP進行限制,具體的實現方式可能會受到實際環境的影響而稍有不同,本文針對直接部署在tomcat下web專案(且無nginx或其他形式做代理)做一下詳細說明。
實現
思路梳理
首先在web.xml中配置相應的引數,然後自定義一個filter實現Filter介面:在子定義的filter裡面的init方法和doFilter方法進行處理。init方法中獲取web.xml中配置的允許訪問的IP白名單,並對其進行有效性驗證及格式處理,定義為集合allow;doFilter方法中從請求中獲取請求來源的IP地址,驗證地址有效性,遍歷集合allow,比較獲取的來源IP是否在集合allow中存在,存在就放行,不存在response用資料流的形式返回“您的IP被限制訪問!”資訊給訪問者,至此,IP限制部分介紹完畢。文中剩餘內容是對請求路由的限制實現,也可供參考。
程式碼實現
web.xml配置過濾器及IP白名單
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd" > <web-app> <display-name>Archetype Created Web Application</display-name> <filter> <filter-name>loginFilter</filter-name> <filter-class>com.bjdata.oldsite.LoginFilter</filter-class> <init-param> <param-name>AllowIPList</param-name> <param-value> 192.168.0.* ; 219.143.182.110 ; 192.168.20.140-192.168.20.205 </param-value> </init-param> </filter> <filter-mapping> <filter-name>loginFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app>
自定義過濾器init()方法獲取定義白名單
package com.bjdata.oldsite; import javax.servlet.*; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import java.io.IOException; import java.net.InetAddress; import java.net.UnknownHostException; import java.util.ArrayList; import java.util.HashSet; import java.util.List; import java.util.Set; import java.util.regex.Pattern; /** * @Auther: * @Date: * @Description: */ public class LoginFilter implements Filter { // 允許的IP訪問列表 private Set<String> ipList = new HashSet<String>(); // IP的正則 private Pattern pattern = Pattern .compile("(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\." + "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\." + "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\." + "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})"); @Override public void init(FilterConfig filterConfig) throws ServletException { // 從web.xml讀取引數 String allowIp = filterConfig.getInitParameter("AllowIPList"); // 轉換IP地址 init(allowIp); System.err.println("Allow IP list:" + ipList); } /** * 轉換IP地址的形式 * @param allowIp */ private void init(String allowIp) { // 192.168.0.*轉換為192.168.0.1-192.168.0.255 for (String allow : allowIp.replaceAll("\\s", "").split(";")) { if (allow.indexOf("*") > -1) { String[] ips = allow.split("\\."); String[] from = new String[]{"0", "0", "0", "0"}; String[] end = new String[]{"255", "255", "255", "255"}; List<String> tem = new ArrayList<>(); for (int i = 0; i < ips.length; i++) { if (ips[i].indexOf("*") > -1) { tem = complete(ips[i]); from[i] = null; end[i] = null; }else { from[i] = ips[i]; end[i] = ips[i]; } } StringBuilder fromIP = new StringBuilder(); StringBuilder endIP = new StringBuilder(); for (int i = 0; i < 4; i++) { if (from[i] != null) { fromIP.append(from[i]).append("."); endIP.append(end[i]).append("."); }else { fromIP.append("[*]."); endIP.append("[*]."); } } fromIP.deleteCharAt(fromIP.length() - 1); endIP.deleteCharAt(endIP.length() - 1); for (String s : tem) { String ip = fromIP.toString().replace("[*]", s.split(";")[0]) + "-" + endIP.toString().replace("[*]", s.split(";")[1]); if (validate(ip)) { ipList.add(ip); } } }else { if (validate(allow)) { ipList.add(allow); } } } } /** * 在新增至白名單時進行格式校驗 * @param allow * @return */ private boolean validate(String allow) { for (String s : allow.split("-")){ if (!pattern.matcher(s).matches()) { return false; } } return true; } /** * 對單個IP節點進行範圍限定 * @param ip * @return 返回限定後的IP範圍,格式為List[10;19, 100;199] */ private List<String> complete(String ip) { List<String> com = new ArrayList<>(); if (ip.length() == 1) { com.add("0;255"); }else if (ip.length() == 2) { String s1 = complete(ip, 1); if (s1 != null){ com.add(s1); } String s2 = complete(ip, 2); if (s2 != null) { com.add(s2); } }else { String s1 = complete(ip, 1); if (s1 != null) { com.add(s1); } } return com; } /** * 字串格式處理 * @param ip * @param length * @return */ private String complete(String ip, int length) { String from = ""; String end = ""; if (length == 1) { from = ip.replace("*", "0"); end = ip.replace("*", "9"); }else{ from = ip.replace("*", "00"); end = ip.replace("*", "99"); } if (Integer.valueOf(from) > 255){ return null; } if (Integer.valueOf(end) > 255) { end = "255"; } return from + ";" + end; } }
自定義過濾器doFilter()方法獲取請求IP並驗證是否屬於白名單
package com.bjdata.oldsite;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.regex.Pattern;
/**
* @Auther:
* @Date:
* @Description:
*/
public class LoginFilter implements Filter {
// 允許的IP訪問列表
private Set<String> ipList = new HashSet<String>();
// IP的正則
private Pattern pattern = Pattern
.compile("(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\."
+ "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\."
+ "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\."
+ "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})");
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest)servletRequest;
HttpServletResponse response = (HttpServletResponse)servletResponse;
// 登入IP控制
String ip = request.getRemoteAddr();
InetAddress inet = null;
try {
inet = InetAddress.getLocalHost();
if (ip.equals("127.0.0.1")){
ip = inet.getHostAddress();
}
} catch (UnknownHostException e) {
e.printStackTrace();
}
if (!checkLoginIP(ip)) {
response.getOutputStream().write(("您的IP被限制訪問!").getBytes());
/*response.getOutputStream().write((ip + "ip forbidden.").getBytes());*/
response.getOutputStream().flush();
return;
}
// 登入路由控制
String requestURI = request.getRequestURI();
System.out.println(requestURI);
if(request.getRequestURI().indexOf("login.jsp")<0 && !requestURI.equals("/oldSite/getValidateCode.jsp")){
HttpSession session = request.getSession();
String sessionKey = (String)session.getAttribute("sessionKey");
if(sessionKey==null){
response.sendRedirect("login.jsp");
}
}
// 放行
filterChain.doFilter(request,response);
}
/**
* 檢查IP是否是允許的IP
* @param ip
* @return
*/
private boolean checkLoginIP(String ip) {
if (ipList.isEmpty() || ipList.contains(ip)) {
return true;
}else{
for (String allow : ipList) {
if (allow.indexOf("-") > -1){
String[] from = allow.split("-")[0].split("\\.");
String[] end = allow.split("-")[1].split("\\.");
String[] tag = ip.split("\\.");
// 對IP從左到右進行逐段匹配
boolean check = true;
for (int i = 0; i < 4; i++) {
int s = Integer.valueOf(from[i]);
int t = Integer.valueOf(tag[i]);
int e = Integer.valueOf(end[i]);
if (!(s <= t && t <= e)) {
check = false;
break;
}
}
if (check) {
return true;
}
}
}
}
return false;
}
}
自定義Filter中所有程式碼摘錄如下
package com.bjdata.oldsite;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.regex.Pattern;
/**
* @Auther:
* @Date:
* @Description:
*/
public class LoginFilter implements Filter {
// 允許的IP訪問列表
private Set<String> ipList = new HashSet<String>();
// IP的正則
private Pattern pattern = Pattern
.compile("(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\."
+ "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\."
+ "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\."
+ "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})");
@Override
public void init(FilterConfig filterConfig) throws ServletException {
// 從web.xml讀取引數
String allowIp = filterConfig.getInitParameter("AllowIPList");
// 轉換IP地址
init(allowIp);
System.err.println("Allow IP list:" + ipList);
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest)servletRequest;
HttpServletResponse response = (HttpServletResponse)servletResponse;
// 登入IP控制
String ip = request.getRemoteAddr();
InetAddress inet = null;
try {
inet = InetAddress.getLocalHost();
if (ip.equals("127.0.0.1")){
ip = inet.getHostAddress();
}
} catch (UnknownHostException e) {
e.printStackTrace();
}
if (!checkLoginIP(ip)) {
response.getOutputStream().write(("您的IP被限制訪問!").getBytes());
/*response.getOutputStream().write((ip + "ip forbidden.").getBytes());*/
response.getOutputStream().flush();
return;
}
// 登入路由控制
String requestURI = request.getRequestURI();
System.out.println(requestURI);
if(request.getRequestURI().indexOf("login.jsp")<0 && !requestURI.equals("/oldSite/getValidateCode.jsp")){
HttpSession session = request.getSession();
String sessionKey = (String)session.getAttribute("sessionKey");
if(sessionKey==null){
response.sendRedirect("login.jsp");
}
}
// 放行
filterChain.doFilter(request,response);
}
@Override
public void destroy() {
}
/**
* 轉換IP地址的形式
* @param allowIp
*/
private void init(String allowIp) {
// 192.168.0.*轉換為192.168.0.1-192.168.0.255
for (String allow : allowIp.replaceAll("\\s", "").split(";")) {
if (allow.indexOf("*") > -1) {
String[] ips = allow.split("\\.");
String[] from = new String[]{"0", "0", "0", "0"};
String[] end = new String[]{"255", "255", "255", "255"};
List<String> tem = new ArrayList<>();
for (int i = 0; i < ips.length; i++) {
if (ips[i].indexOf("*") > -1) {
tem = complete(ips[i]);
from[i] = null;
end[i] = null;
}else {
from[i] = ips[i];
end[i] = ips[i];
}
}
StringBuilder fromIP = new StringBuilder();
StringBuilder endIP = new StringBuilder();
for (int i = 0; i < 4; i++) {
if (from[i] != null) {
fromIP.append(from[i]).append(".");
endIP.append(end[i]).append(".");
}else {
fromIP.append("[*].");
endIP.append("[*].");
}
}
fromIP.deleteCharAt(fromIP.length() - 1);
endIP.deleteCharAt(endIP.length() - 1);
for (String s : tem) {
String ip = fromIP.toString().replace("[*]",
s.split(";")[0])
+ "-"
+ endIP.toString().replace("[*]", s.split(";")[1]);
if (validate(ip)) {
ipList.add(ip);
}
}
}else {
if (validate(allow)) {
ipList.add(allow);
}
}
}
}
/**
* 在新增至白名單時進行格式校驗
* @param allow
* @return
*/
private boolean validate(String allow) {
for (String s : allow.split("-")){
if (!pattern.matcher(s).matches()) {
return false;
}
}
return true;
}
/**
* 對單個IP節點進行範圍限定
* @param ip
* @return 返回限定後的IP範圍,格式為List[10;19, 100;199]
*/
private List<String> complete(String ip) {
List<String> com = new ArrayList<>();
if (ip.length() == 1) {
com.add("0;255");
}else if (ip.length() == 2) {
String s1 = complete(ip, 1);
if (s1 != null){
com.add(s1);
}
String s2 = complete(ip, 2);
if (s2 != null) {
com.add(s2);
}
}else {
String s1 = complete(ip, 1);
if (s1 != null) {
com.add(s1);
}
}
return com;
}
/**
* 字串格式處理
* @param ip
* @param length
* @return
*/
private String complete(String ip, int length) {
String from = "";
String end = "";
if (length == 1) {
from = ip.replace("*", "0");
end = ip.replace("*", "9");
}else{
from = ip.replace("*", "00");
end = ip.replace("*", "99");
}
if (Integer.valueOf(from) > 255){
return null;
}
if (Integer.valueOf(end) > 255) {
end = "255";
}
return from + ";" + end;
}
/**
* 檢查IP是否是允許的IP
* @param ip
* @return
*/
private boolean checkLoginIP(String ip) {
if (ipList.isEmpty() || ipList.contains(ip)) {
return true;
}else{
for (String allow : ipList) {
if (allow.indexOf("-") > -1){
String[] from = allow.split("-")[0].split("\\.");
String[] end = allow.split("-")[1].split("\\.");
String[] tag = ip.split("\\.");
// 對IP從左到右進行逐段匹配
boolean check = true;
for (int i = 0; i < 4; i++) {
int s = Integer.valueOf(from[i]);
int t = Integer.valueOf(tag[i]);
int e = Integer.valueOf(end[i]);
if (!(s <= t && t <= e)) {
check = false;
break;
}
}
if (check) {
return true;
}
}
}
}
return false