导读

由于项目需要,这里需要设计一个IP白名单,增加接口安全。SpringBoot项目,因为接口已经开发好,在不变动接口的情况下,采用拦截器做处理,思路是拦截指定的请求,获取到该请求的IP,然后根据该ip去配置文件查询是否存在,如果存在就允许访问,否则没有权限访问。

使用

创建配置文件ip_address.yml

  1. address:
  2.   ipFilters:
  3.     - ip: 127.0.0.1
  4.       whitelists: true
  5.     - ip: 192.168.255.255
  6.       whitelists: true

创建读取配置YML文件属性PropConfig

  1. import org.springframework.beans.factory.config.YamlPropertiesFactoryBean;
  2. import org.springframework.context.annotation.Bean;
  3. import org.springframework.context.annotation.Configuration;
  4. import org.springframework.context.support.PropertySourcesPlaceholderConfigurer;
  5. import org.springframework.core.io.ClassPathResource;
  7. import java.util.Objects;
  9. /**
  10.  * 读取配置文件
  11.  */
  12. @Configuration
  13. public class PropConfig {
  14.     @Bean
  15.     public static PropertySourcesPlaceholderConfigurer properties() {
  16.         PropertySourcesPlaceholderConfigurer configurer = new PropertySourcesPlaceholderConfigurer();
  17.         YamlPropertiesFactoryBean yaml = new YamlPropertiesFactoryBean();
  18.         yaml.setResources(new ClassPathResource("ip_address.yml"));
  19.         configurer.setProperties(Objects.requireNonNull(yaml.getObject()));
  20.         return configurer;
  21.     }
  22. }

创建实体类和IPAddress类

  • 实体类IpFilter ```java import java.io.Serializable;

/**

  • ip过滤器实体类 */ public class IpFilter implements Serializable {

    private static final long serialVersionUID = 8802493743077425037L; /**

    • ip地址 */ private String ip;

      /**

    • 白名单—true,黑名单—false */ private Boolean whitelists;

      public String getIp() { return ip; }

      public void setIp(String ip) { this.ip = ip; }

      public Boolean getWhitelists() { return whitelists; }

      public void setWhitelists(Boolean whitelists) { this.whitelists = whitelists; } }

  2. - **IpAddress类**
  4. ```java
  6. import org.springframework.boot.context.properties.ConfigurationProperties;
  7. import org.springframework.context.annotation.Configuration;
  9. import java.io.Serializable;
  10. import java.util.List;
  12. /**
  13.  * IpAddress 存放集合属性
  14.  */
  15. @Configuration
  16. @ConfigurationProperties("address")
  17. @Data
  18. public class IpAddress implements Serializable {
  20.     private static final long serialVersionUID = -1686798098991604714L;
  21.     private List<IpFilter> ipFilters; //ipFilters与yml文件的集合属性对应
  22. }

获取工具类IPUtils

  1. import javax.servlet.http.HttpServletRequest;
  3. /**
  4.  * 获取用户的IP
  5.  */
  7. public class IPUtils {
  8.    /**
  9.      * 本地IP localhost
  10.      */
  11.     private static final String NATIVEIP = "0:0:0:0:0:0:0:1";
  13.     /**
  14.      * 获取用户真实IP地址,不使用request.getRemoteAddr()的原因是有可能用户使用了代理软件方式避免真实IP地址,
  15.      * 可是,如果通过了多级反向代理的话,X-Forwarded-For的值并不止一个,而是一串IP值
  16.      *
  17.      * @return ip
  18.      */
  19.     public static String getRealIP(HttpServletRequest request) {
  20.         String ip = request.getHeader("x-forwarded-for");
  21.         if (ip != null && ip.length() != 0 && !"unknown".equalsIgnoreCase(ip)) {
  22.             // 多次反向代理后会有多个ip值,第一个ip才是真实ip
  23.             if (ip.indexOf(",") != -1) {
  24.                 ip = ip.split(",")[0];
  25.             }
  26.         }
  27.         if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
  28.             ip = request.getHeader("Proxy-Client-IP");
  29.             System.out.println("Proxy-Client-IP ip: " + ip);
  30.         }
  31.         if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
  32.             ip = request.getHeader("WL-Proxy-Client-IP");
  33.             System.out.println("WL-Proxy-Client-IP ip: " + ip);
  34.         }
  35.         if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
  36.             ip = request.getHeader("HTTP_CLIENT_IP");
  37.             System.out.println("HTTP_CLIENT_IP ip: " + ip);
  38.         }
  39.         if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
  40.             ip = request.getHeader("HTTP_X_FORWARDED_FOR");
  41.             System.out.println("HTTP_X_FORWARDED_FOR ip: " + ip);
  42.         }
  43.         if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
  44.             ip = request.getHeader("X-Real-IP");
  45.             System.out.println("X-Real-IP ip: " + ip);
  46.         }
  47.         if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
  48.             ip = request.getRemoteAddr();
  49.             System.out.println("getRemoteAddr ip: " + ip);
  50.         }
  51.           if (ip.equals(NATIVEIP)) {
  52.             ip = "127.0.0.1";
  53.             System.out.println("get native ip" + ip);
  54.         }
  55.         return ip;
  56.     }
  57. }

拦截器IPInterceptor

  1. import com.demo.common.entity.IpAddress;
  2. import com.demo.common.entity.IpFilter;
  3. import com.demo.common.utils.IPUtils;
  4. import org.apache.commons.lang3.StringUtils;
  5. import org.slf4j.Logger;
  6. import org.slf4j.LoggerFactory;
  7. import org.springframework.beans.factory.annotation.Autowired;
  8. import org.springframework.stereotype.Component;
  9. import org.springframework.web.servlet.HandlerInterceptor;
  10. import org.springframework.web.servlet.ModelAndView;
  12. import javax.servlet.http.HttpServletRequest;
  13. import javax.servlet.http.HttpServletResponse;
  14. import java.util.List;
  16. /**
  17.  * IP 拦截器
  18.  *
  19.  * @author hyanchao
  20.  * @create 2020/1/14 14:23
  21.  */
  22. @Component
  23. public class IPInterceptor implements HandlerInterceptor {
  24.     private static Logger LOG = LoggerFactory.getLogger(IPInterceptor.class);
  26.     @Autowired
  27.     private IpAddress address;
  29.     @Override
  30.     public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
  31.         //过滤ip,若用户在白名单内,则放行
  32.         String ipAddress = IPUtils.getRealIP(request);
  33.         LOG.info("USER IP ADDRESS IS =>" + ipAddress);
  34.         if (!StringUtils.isNotBlank(ipAddress)) {
  35.             response.getWriter().append("<h1 style=\"text-align:center;\">Not allowed!</h1>");
  36.             return false;
  37.         }
  38.         //读取ip地址白名单集合,如果存在,并且为白名单,则放行,不然就拦截
  39.         List<IpFilter> ipFilters = address.getIpFilters();
  40.         if (ipFilters != null) {
  41.             for (IpFilter ips : ipFilters) {
  42.                 if (ipAddress.equals(ips.getIp()) && ips.getWhitelists()) {
  43.                     return true;
  44.                 }
  45.             }
  46.         }
  47.         response.getWriter().append("<h1 style=\"text-align:center;\">Not allowed!</h1>");
  48.         return false;
  49.     }
  52.     @Override
  53.     public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
  55.     }
  58.     @Override
  59.     public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
  61.     }
  62. }

全局配置拦截

  2. import com.demo.common.interceptor.IPInterceptor;
  3. import org.springframework.beans.factory.annotation.Autowired;
  4. import org.springframework.context.annotation.Configuration;
  5. import org.springframework.web.servlet.config.annotation.CorsRegistry;
  6. import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
  7. import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
  10. @Configuration
  11. public class GlobalCorsConfig extends WebMvcConfigurerAdapter {
  12.     @Autowired
  13.     private IPInterceptor ipInterceptor;
  15.     @Override
  16.     public void addInterceptors(InterceptorRegistry registry) {
  17.         // 添加拦截器,配置拦截地址,这里拦截以api请求的接口比如http://localhost/api/getUser
  18.         registry.addInterceptor(ipInterceptor).addPathPatterns("/api/**");
  19.     }
  20. }

END

这里还没有做限流处理,下次考虑试下限流。