Spring Boot 防止接口惡意刷新和暴力請求的實現
在實際項目使用中,必須要考慮服務的安全性,當服務部署到互聯網以後,就要考慮服務被惡意請求和暴力攻擊的情況,下面的教程,通過intercept和redis針對url+ip在一定時間內訪問的次數來將ip禁用,可以根據自己的需求進行相應的修改,來打打自己的目的;
首先工程為springboot框架搭建,不再詳細敘述。直接上核心代碼。
首先創建一個自定義的攔截器類,也是最核心的代碼;
/**
* @package: com.technicalinterest.group.interceptor
* @className: IpUrlLimitInterceptor
* @description: ip+url重復請求現在攔截器
* @author: Shuyu.Wang
* @date: 2019-10-12 12:34
* @since: 0.1
**/
@Slf4j
public class IpUrlLimitInterceptor implements HandlerInterceptor {
private RedisUtil getRedisUtil() {
return SpringContextUtil.getBean(RedisUtil.class);
}
private static final String LOCK_IP_URL_KEY="lock_ip_";
private static final String IP_URL_REQ_TIME="ip_url_times_";
private static final long LIMIT_TIMES=5;
private static final int IP_LOCK_TIME=60;
@Override
public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) throws Exception {
log.info("request請求地址uri={},ip={}", httpServletRequest.getRequestURI(), IpAdrressUtil.getIpAdrress(httpServletRequest));
if (ipIsLock(IpAdrressUtil.getIpAdrress(httpServletRequest))){
log.info("ip訪問被禁止={}",IpAdrressUtil.getIpAdrress(httpServletRequest));
ApiResult result = new ApiResult(ResultEnum.LOCK_IP);
returnJson(httpServletResponse, JSON.toJSONString(result));
return false;
}
if(!addRequestTime(IpAdrressUtil.getIpAdrress(httpServletRequest),httpServletRequest.getRequestURI())){
ApiResult result = new ApiResult(ResultEnum.LOCK_IP);
returnJson(httpServletResponse, JSON.toJSONString(result));
return false;
}
return true;
}
@Override
public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception {
}
@Override
public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception {
}
/**
* @Description: 判斷ip是否被禁用
* @author: shuyu.wang
* @date: 2019-10-12 13:08
* @param ip
* @return java.lang.Boolean
*/
private Boolean ipIsLock(String ip){
RedisUtil redisUtil=getRedisUtil();
if(redisUtil.hasKey(LOCK_IP_URL_KEY+ip)){
return true;
}
return false;
}
/**
* @Description: 記錄請求次數
* @author: shuyu.wang
* @date: 2019-10-12 17:18
* @param ip
* @param uri
* @return java.lang.Boolean
*/
private Boolean addRequestTime(String ip,String uri){
String key=IP_URL_REQ_TIME+ip+uri;
RedisUtil redisUtil=getRedisUtil();
if (redisUtil.hasKey(key)){
long time=redisUtil.incr(key,(long)1);
if (time>=LIMIT_TIMES){
redisUtil.getLock(LOCK_IP_URL_KEY+ip,ip,IP_LOCK_TIME);
return false;
}
}else {
redisUtil.getLock(key,(long)1,1);
}
return true;
}
private void returnJson(HttpServletResponse response, String json) throws Exception {
PrintWriter writer = null;
response.setCharacterEncoding("UTF-8");
response.setContentType("text/json; charset=utf-8");
try {
writer = response.getWriter();
writer.print(json);
} catch (IOException e) {
log.error("LoginInterceptor response error ---> {}", e.getMessage(), e);
} finally {
if (writer != null) {
writer.close();
}
}
}
}
代碼中redis的使用的是分佈式鎖的形式,這樣可以最大程度保證線程安全和功能的實現效果。代碼中設置的是1S內同一個接口通過同一個ip訪問5次,就將該ip禁用1個小時,根據自己項目需求可以自己適當修改,實現自己想要的功能;
redis分佈式鎖的關鍵代碼:
/**
* @package: com.shuyu.blog.util
* @className: RedisUtil
* @description:
* @author: Shuyu.Wang
* @date: 2019-07-14 14:42
* @since: 0.1
**/
@Component
@Slf4j
public class RedisUtil {
private static final Long SUCCESS = 1L;
@Autowired
private RedisTemplate<String, Object> redisTemplate;
// =============================common============================
/**
* 獲取鎖
* @param lockKey
* @param value
* @param expireTime:單位-秒
* @return
*/
public boolean getLock(String lockKey, Object value, int expireTime) {
try {
log.info("添加分佈式鎖key={},expireTime={}",lockKey,expireTime);
String script = "if redis.call('setNx',KEYS[1],ARGV[1]) then if redis.call('get',KEYS[1])==ARGV[1] then return redis.call('expire',KEYS[1],ARGV[2]) else return 0 end end";
RedisScript<String> redisScript = new DefaultRedisScript<>(script, String.class);
Object result = redisTemplate.execute(redisScript, Collections.singletonList(lockKey), value, expireTime);
if (SUCCESS.equals(result)) {
return true;
}
} catch (Exception e) {
e.printStackTrace();
}
return false;
}
/**
* 釋放鎖
* @param lockKey
* @param value
* @return
*/
public boolean releaseLock(String lockKey, String value) {
String script = "if redis.call('get', KEYS[1]) == ARGV[1] then return redis.call('del', KEYS[1]) else return 0 end";
RedisScript<String> redisScript = new DefaultRedisScript<>(script, String.class);
Object result = redisTemplate.execute(redisScript, Collections.singletonList(lockKey), value);
if (SUCCESS.equals(result)) {
return true;
}
return false;
}
}
最後將上面自定義的攔截器通過registry.addInterceptor添加一下,就生效瞭;
@Configuration
@Slf4j
public class MyWebAppConfig extends WebMvcConfigurerAdapter {
@Bean
IpUrlLimitInterceptor getIpUrlLimitInterceptor(){
return new IpUrlLimitInterceptor();
}
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(getIpUrlLimitInterceptor()).addPathPatterns("/**");
super.addInterceptors(registry);
}
}
自己可以寫一個for循環來測試方面的功能,這裡就不詳細介紹瞭;
到此這篇關於Spring Boot 防止接口惡意刷新和暴力請求的實現的文章就介紹到這瞭,更多相關Spring Boot 防止接口惡意刷新和暴力請求內容請搜索WalkonNet以前的文章或繼續瀏覽下面的相關文章希望大傢以後多多支持WalkonNet!
推薦閱讀:
- SpringBoot RedisTemplate分佈式鎖的項目實戰
- 詳解RedisTemplate下Redis分佈式鎖引發的系列問題
- 關於SpringBoot 使用 Redis 分佈式鎖解決並發問題
- 分佈式面試分佈式鎖實現及應用場景
- Redis分佈式鎖如何實現續期