há 1 mês atrás · 7558c176eb
--- a/ruoyi-admin/src/main/resources/application.yml
+++ b/ruoyi-admin/src/main/resources/application.yml
@@ -119,6 +119,13 @@ swagger:
 
				   # 请求前缀

			
 
				   pathMapping: /dev-api

			
 
				 

			
 
				+# 防盗链配置

			
 
				+referer:

			
 
				+  # 防盗链开关

			
 
				+  enabled: false

			
 
				+  # 允许的域名列表

			
 
				+  allowed-domains: localhost,127.0.0.1,ruoyi.vip,www.ruoyi.vip

			
 
				+

			
 
				 # 防止XSS攻击

			
 
				 xss:

			
 
				   # 过滤开关

			
--- a/ruoyi-common/src/main/java/com/ruoyi/common/filter/RefererFilter.java
+++ b/ruoyi-common/src/main/java/com/ruoyi/common/filter/RefererFilter.java
@@ -0,0 +1,77 @@
 
				+package com.ruoyi.common.filter;
			
 
				+
			
 
				+import java.io.IOException;
			
 
				+import java.util.Arrays;
			
 
				+import java.util.List;
			
 
				+import javax.servlet.Filter;
			
 
				+import javax.servlet.FilterChain;
			
 
				+import javax.servlet.FilterConfig;
			
 
				+import javax.servlet.ServletException;
			
 
				+import javax.servlet.ServletRequest;
			
 
				+import javax.servlet.ServletResponse;
			
 
				+import javax.servlet.http.HttpServletRequest;
			
 
				+import javax.servlet.http.HttpServletResponse;
			
 
				+
			
 
				+/**
			
 
				+ * 防盗链过滤器
			
 
				+ * 
			
 
				+ * @author ruoyi
			
 
				+ */
			
 
				+public class RefererFilter implements Filter
			
 
				+{
			
 
				+    /**
			
 
				+     * 允许的域名列表
			
 
				+     */
			
 
				+    public List<String> allowedDomains;
			
 
				+
			
 
				+    @Override
			
 
				+    public void init(FilterConfig filterConfig) throws ServletException
			
 
				+    {
			
 
				+        String domains = filterConfig.getInitParameter("allowedDomains");
			
 
				+        this.allowedDomains = Arrays.asList(domains.split(","));
			
 
				+    }
			
 
				+
			
 
				+    @Override
			
 
				+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
			
 
				+            throws IOException, ServletException
			
 
				+    {
			
 
				+        HttpServletRequest req = (HttpServletRequest) request;
			
 
				+        HttpServletResponse resp = (HttpServletResponse) response;
			
 
				+
			
 
				+        String referer = req.getHeader("Referer");
			
 
				+
			
 
				+        // 如果Referer为空，拒绝访问
			
 
				+        if (referer == null || referer.isEmpty())
			
 
				+        {
			
 
				+            resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Access denied: Referer header is required");
			
 
				+            return;
			
 
				+        }
			
 
				+
			
 
				+        // 检查Referer是否在允许的域名列表中
			
 
				+        boolean allowed = false;
			
 
				+        for (String domain : allowedDomains)
			
 
				+        {
			
 
				+            if (referer.contains(domain))
			
 
				+            {
			
 
				+                allowed = true;
			
 
				+                break;
			
 
				+            }
			
 
				+        }
			
 
				+
			
 
				+        // 根据检查结果决定是否放行
			
 
				+        if (allowed)
			
 
				+        {
			
 
				+            chain.doFilter(request, response);
			
 
				+        }
			
 
				+        else
			
 
				+        {
			
 
				+            resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Access denied: Referer '" + referer + "' is not allowed");
			
 
				+        }
			
 
				+    }
			
 
				+
			
 
				+    @Override
			
 
				+    public void destroy()
			
 
				+    {
			
 
				+
			
 
				+    }
			
 
				+}
			
--- a/ruoyi-framework/src/main/java/com/ruoyi/framework/config/FilterConfig.java
+++ b/ruoyi-framework/src/main/java/com/ruoyi/framework/config/FilterConfig.java
@@ -8,6 +8,8 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 
				 import org.springframework.boot.web.servlet.FilterRegistrationBean;

			
 
				 import org.springframework.context.annotation.Bean;

			
 
				 import org.springframework.context.annotation.Configuration;

			
 
				+import com.ruoyi.common.constant.Constants;

			
 
				+import com.ruoyi.common.filter.RefererFilter;

			
 
				 import com.ruoyi.common.filter.RepeatableFilter;

			
 
				 import com.ruoyi.common.filter.XssFilter;

			
 
				 import com.ruoyi.common.utils.StringUtils;

			
@@ -26,6 +28,9 @@ public class FilterConfig
 
				     @Value("${xss.urlPatterns}")

			
 
				     private String urlPatterns;

			
 
				 

			
 
				+    @Value("${referer.allowed-domains}")

			
 
				+    private String allowedDomains;

			
 
				+

			
 
				     @SuppressWarnings({ "rawtypes", "unchecked" })

			
 
				     @Bean

			
 
				     @ConditionalOnProperty(value = "xss.enabled", havingValue = "true")

			
@@ -43,6 +48,23 @@ public class FilterConfig
 
				         return registration;

			
 
				     }

			
 
				 

			
 
				+    @SuppressWarnings({ "rawtypes", "unchecked" })

			
 
				+    @Bean

			
 
				+    @ConditionalOnProperty(value = "referer.enabled", havingValue = "true")

			
 
				+    public FilterRegistrationBean refererFilterRegistration()

			
 
				+    {

			
 
				+        FilterRegistrationBean registration = new FilterRegistrationBean();

			
 
				+        registration.setDispatcherTypes(DispatcherType.REQUEST);

			
 
				+        registration.setFilter(new RefererFilter());

			
 
				+        registration.addUrlPatterns(Constants.RESOURCE_PREFIX + "/*");

			
 
				+        registration.setName("refererFilter");

			
 
				+        registration.setOrder(FilterRegistrationBean.HIGHEST_PRECEDENCE);

			
 
				+        Map<String, String> initParameters = new HashMap<String, String>();

			
 
				+        initParameters.put("allowedDomains", allowedDomains);

			
 
				+        registration.setInitParameters(initParameters);

			
 
				+        return registration;

			
 
				+    }

			
 
				+

			
 
				     @SuppressWarnings({ "rawtypes", "unchecked" })

			
 
				     @Bean

			
 
				     public FilterRegistrationBean someFilterRegistration()