0
点赞
收藏
分享

微信扫一扫

几行代码,搞定 SpringBoot 接口恶意刷新和暴力请求

爱我中华8898 2022-06-17 阅读 57

在实际项目使用中,必须要考虑服务的安全性,当服务部署到互联网以后,就要考虑服务被恶意请求和暴力攻J的情况,下面的教程,通过​​intercept​​​和​​redis​​​针对​​url+ip​​在一定时间内访问的次数来将ip禁用,可以根据自己的需求进行相应的修改,来打打自己的目的;

首先工程为springboot框架搭建,不再详细叙述。

直接上核心代码。

首先创建一个自定义的拦截器类,也是最核心的代码:

/**
* @package: com.technicalinterest.group.interceptor
* @className: IpUrlLimitInterceptor
* @description: ip+url重复请求现在拦截器
**/
@Slf4j
{


RedisUtil () {
SpringContextUtil.getBean(RedisUtil.);
}

String LOCK_IP_URL_KEY="lock_ip_";

String IP_URL_REQ_TIME="ip_url_times_";

LIMIT_TIMES=5;

IP_LOCK_TIME=60;

@Override
(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) Exception {
log.info("request请求地址uri={},ip={}", httpServletRequest.getRequestURI(), IpAdrressUtil.getIpAdrress(httpServletRequest));
(ipIsLock(IpAdrressUtil.getIpAdrress(httpServletRequest))){
log.info("ip访问被禁止={}",IpAdrressUtil.getIpAdrress(httpServletRequest));
ApiResult result = ApiResult(ResultEnum.LOCK_IP);
returnJson(httpServletResponse, JSON.toJSONString(result));
;
}
(!addRequestTime(IpAdrressUtil.getIpAdrress(httpServletRequest),httpServletRequest.getRequestURI())){
ApiResult result = ApiResult(ResultEnum.LOCK_IP);
returnJson(httpServletResponse, JSON.toJSONString(result));
;
}
;
}

@Override
(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) Exception {

}

@Override
(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) Exception {

}

/**
* @Description: 判断ip是否被禁用
* @param ip
* @return java.lang.Boolean
*/
Boolean (String ip){
RedisUtil redisUtil=getRedisUtil();
(redisUtil.hasKey(LOCK_IP_URL_KEY+ip)){
;
}
;
}
/**
* @Description: 记录请求次数
* @param ip
* @param uri
* @return java.lang.Boolean
*/
Boolean (String ip,String uri){
String key=IP_URL_REQ_TIME+ip+uri;
RedisUtil redisUtil=getRedisUtil();
(redisUtil.hasKey(key)){
time=redisUtil.incr(key,()1);
(time>=LIMIT_TIMES){
redisUtil.getLock(LOCK_IP_URL_KEY+ip,ip,IP_LOCK_TIME);
;
}
} {
redisUtil.getLock(key,()1,1);
}
;
}

(HttpServletResponse response, String json) Exception {
PrintWriter writer = ;
response.setCharacterEncoding("UTF-8");
response.setContentType("text/json; charset=utf-8");
{
writer = response.getWriter();
writer.print(json);
} (IOException e) {
log.error("LoginInterceptor response error ---> {}", e.getMessage(), e);
} {
(writer != ) {
writer.close();
}
}
}


}

代码中redis的使用的是分布式锁的形式,这样可以最大程度保证线程安全和功能的实现效果。代码中设置的是1S内同一个接口通过同一个ip访问5次,就将该ip禁用1个小时,根据自己项目需求可以自己适当修改,实现自己想要的功能;

redis分布式锁的关键代码:

/**
* @package: com.shuyu.blog.util
* @className: RedisUtil
**/
@Component
@Slf4j
{

Long SUCCESS = 1L;

@Autowired
RedisTemplate<String, Object> redisTemplate;
// =============================common============================



/**
* 获取锁
* @param lockKey
* @param value
* @param expireTime:单位-秒
* @return
*/
(String lockKey, Object value, expireTime) {
{
log.info("添加分布式锁key={},expireTime={}",lockKey,expireTime);
String script = "if redis.call('setNx',KEYS[1],ARGV[1]) then if redis.call('get',KEYS[1])==ARGV[1] then return redis.call('expire',KEYS[1],ARGV[2]) else return 0 end end";
RedisScript<String> redisScript = DefaultRedisScript<>(script, String.);
Object result = redisTemplate.execute(redisScript, Collections.singletonList(lockKey), value, expireTime);
(SUCCESS.equals(result)) {
;
}
} (Exception e) {
e.printStackTrace();
}
;
}

/**
* 释放锁
* @param lockKey
* @param value
* @return
*/
(String lockKey, String value) {
String script = "if redis.call('get', KEYS[1]) == ARGV[1] then return redis.call('del', KEYS[1]) else return 0 end";
RedisScript<String> redisScript = DefaultRedisScript<>(script, String.);
Object result = redisTemplate.execute(redisScript, Collections.singletonList(lockKey), value);
(SUCCESS.equals(result)) {
;
}
;
}

}

最后将上面自定义的拦截器通过​​registry.addInterceptor​​添加一下,就生效了;

@Configuration
@Slf4j
{
@Bean
IpUrlLimitInterceptor (){
IpUrlLimitInterceptor();
}

@Override
(InterceptorRegistry registry) {
registry.addInterceptor(getIpUrlLimitInterceptor()).addPathPatterns("/**");
.addInterceptors(registry);
}
}

自己可以写一个for循环来测试方面的功能,这里就不详细介绍了。


PS:防止找不到本篇文章,可以收藏点赞,方便翻阅查找哦

举报

相关推荐

0 条评论