IP白名单鉴权

程序员文章站 2022-05-18 20:49:35

...

参考地址：https://www.cnblogs.com/shinubi/p/6723003.html

开发过程中，当给第三方提供接口的时候，总会涉及到对ip鉴权，防止其他用户非法访问。而要完成以上功能，需要做到三步：
1. 获取客户端真实ip
2. 设置访问白名单
3. 过滤非法ip

获取客户端真实IP，已在上一篇做了介绍，这里不在赘述，以下主要介绍后两步。

获取白名单

以下白名单工具类支持单个ip、包含一个通配符“*” 和IP范围设置

import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.regex.Pattern;

/**
 * @ClassName:IPWhiteUtil
 * @Function: IP 白名单.
 * @Reason:关于IP白名单相关.
 * @Date: 2018-5-8
 * @version
 */
public class IPWhiteUtil {
    // IP的正则
    private static Pattern pattern = Pattern
            .compile("(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\."
                    + "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\."
                    + "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\."
                    + "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})");

    /**
     * 
     * getAvaliIpList:(根据IP白名单设置获取可用的IP列表).
     * 
     * @date 2018-5-8 
     * @param ipConfig
     * @return
     */

    private static Set<String> getAvaliIpList(String allowIp) {

        Set<String> ipList = new HashSet<String>();
        for (String allow : allowIp.replaceAll("\\s", "").split(";")) {
            if (allow.indexOf("*") > -1) {
                String[] ips = allow.split("\\.");
                String[] from = new String[] { "0", "0", "0", "0" };
                String[] end = new String[] { "255", "255", "255", "255" };
                List<String> tem = new ArrayList<String>();
                for (int i = 0; i < ips.length; i++)
                    if (ips[i].indexOf("*") > -1) {
                        tem = complete(ips[i]);
                        from[i] = null;
                        end[i] = null;
                    } else {
                        from[i] = ips[i];
                        end[i] = ips[i];
                    }

                StringBuffer fromIP = new StringBuffer();
                StringBuffer endIP = new StringBuffer();
                for (int i = 0; i < 4; i++)
                    if (from[i] != null) {
                        fromIP.append(from[i]).append(".");
                        endIP.append(end[i]).append(".");
                    } else {
                        fromIP.append("[*].");
                        endIP.append("[*].");
                    }
                fromIP.deleteCharAt(fromIP.length() - 1);
                endIP.deleteCharAt(endIP.length() - 1);

                for (String s : tem) {
                    String ip = fromIP.toString().replace("[*]",
                            s.split(";")[0])
                            + "-"
                            + endIP.toString().replace("[*]", s.split(";")[1]);
                    if (validate(ip)) {
                        ipList.add(ip);
                    }
                }
            } else {
                if (validate(allow)) {
                    ipList.add(allow);
                }
            }

        }
        return ipList;
    }

    /**
     * 对单个IP节点进行范围限定
     * 
     * @param arg
     * @return 返回限定后的IP范围，格式为List[10;19, 100;199]
     */
    private static List<String> complete(String arg) {
        List<String> com = new ArrayList<String>();
        if (arg.length() == 1) {
            com.add("0;255");
        } else if (arg.length() == 2) {
            String s1 = complete(arg, 1);
            if (s1 != null)
                com.add(s1);
            String s2 = complete(arg, 2);
            if (s2 != null)
                com.add(s2);
        } else {
            String s1 = complete(arg, 1);
            if (s1 != null)
                com.add(s1);
        }
        return com;
    }

    private static String complete(String arg, int length) {
        String from = "";
        String end = "";
        if (length == 1) {
            from = arg.replace("*", "0");
            end = arg.replace("*", "9");
        } else {
            from = arg.replace("*", "00");
            end = arg.replace("*", "99");
        }
        if (Integer.valueOf(from) > 255)
            return null;
        if (Integer.valueOf(end) > 255)
            end = "255";
        return from + ";" + end;
    }

    /**
     * 在添加至白名单时进行格式校验
     * 
     * @param ip
     * @return
     */
    private static boolean validate(String ip) {
        for (String s : ip.split("-"))
            if (!pattern.matcher(s).matches()) {
                return false;
            }
        return true;
    }

    /**
     * 
     * checkLoginIP:(根据IP,及可用Ip列表来判断ip是否包含在白名单之中).
     * @date 2018-5-8 下午03:01:03
     * @param ip
     * @param ipList
     * @return
     */
    private static boolean checkLoginIP(String ip, Set<String> ipList) {
        if (ipList.isEmpty() || ipList.contains(ip))
            return true;
        else {
            for (String allow : ipList) {
                if (allow.indexOf("-") > -1) {
                    String[] from = allow.split("-")[0].split("\\.");
                    String[] end = allow.split("-")[1].split("\\.");
                    String[] tag = ip.split("\\.");

                    // 对IP从左到右进行逐段匹配
                    boolean check = true;
                    for (int i = 0; i < 4; i++) {
                        int s = Integer.valueOf(from[i]);
                        int t = Integer.valueOf(tag[i]);
                        int e = Integer.valueOf(end[i]);
                        if (!(s <= t && t <= e)) {
                            check = false;
                            break;
                        }
                    }
                    if (check) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    /**
     * 
     * checkLoginIP:(根据IP地址，及IP白名单设置规则判断IP是否包含在白名单).
     * @date 2018-5-8 
     * @param ip
     * @param ipWhiteConfig
     * @return
     */
    public static boolean checkLoginIP(String ip,String ipWhiteConfig){
        Set<String> ipList = getAvaliIpList(ipWhiteConfig);
        return checkLoginIP(ip, ipList);
    }

    public static void main(String[] args) {

        String ipWhilte = "192.168.1.1;" +                 //设置单个IP的白名单
                          "192.168.2.*;" +                 //设置ip通配符,对一个ip段进行匹配
                          "192.168.3.17-192.168.3.38";     //设置一个IP范围
        boolean flag = IPWhiteUtil.checkLoginIP("192.168.2.2",ipWhilte);
        boolean flag2 = IPWhiteUtil.checkLoginIP("192.168.1.2",ipWhilte);
        boolean flag3 = IPWhiteUtil.checkLoginIP("192.168.3.16",ipWhilte);
        boolean flag4 = IPWhiteUtil.checkLoginIP("192.168.3.19",ipWhilte);
        System.out.println(flag);  //true
        System.out.println(flag2);  //false
        System.out.println(flag3);  //false
        System.out.println(flag4);  //true
    }
}

通过spring MVC拦截器拦截IP

继承HandlerInterceptorAdapter类，并重写preHandle方法

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;

import com.neusoft.airline.scal.ota.util.IPWhiteUtil;
import com.neusoft.airline.scal.ota.util.OtaConfigUtil;

public class IPLimitInterceptor extends HandlerInterceptorAdapter{

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
            throws Exception {
        String ip = getIpAddress(request);
        String whiteIPList = OtaConfigUtil.getOtaWhiteIP();
        if(IPWhiteUtil.checkLoginIP(ip, whiteIPList)) {
            return super.preHandle(request, response, handler);
        }
        throw new Exception("IP非法访问!");
    }

    private String getIpAddress(HttpServletRequest request) {
        String ip = request.getHeader("x-forwarded-for");
        if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
            ip = request.getHeader("Proxy-Client-IP");
        }
        if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
            ip = request.getHeader("WL-Proxy-Client-IP");
        }
        if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
            ip = request.getHeader("HTTP_CLIENT_IP");
        }
        if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
            ip = request.getHeader("HTTP_X_FORWARDED_FOR");
        }
        if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
            ip = request.getRemoteAddr();
        }
        //对于通过多个代理的情况，第一个IP为客户端真实IP,多个IP按照','分割    
        if(ip!=null && ip.length()>15){ //"***.***.***.***".length() = 15    
            if(ip.indexOf(",")>0){    
                ip = ip.substring(0,ip.indexOf(","));    
            }    
        }    
        System.out.println("访问ip========="+ip);
        return ip;
    }
}

在springMVC配置文件中添加映射

<mvc:interceptors>
    <!-- IP鉴权拦截器 -->
    <mvc:interceptor>
        <mvc:mapping path="/**"/>
        <bean class="com.neusoft.airline.scal.ota.interceptor.IPLimitInterceptor"></bean>
    </mvc:interceptor>
</mvc:interceptors>

IP白名单鉴权

获取白名单

通过spring MVC拦截器拦截IP

php实现ip白名单黑名单功能

React路由鉴权的实现方法

一步步教会你微信小程序的登录鉴权

聊聊鉴权那些事(推荐)

SpringSecurity动态加载用户角色权限实现登录及鉴权

Node.js 应用：Koa2 使用 JWT 进行鉴权

PHP　限制访问ip白名单

微信公众号如IP白名单在哪里? 微信公众平台ip白名单配置方法

centOS7 下利用iptables配置IP地址白名单的方法

详解nuxt路由鉴权(express模板)

IP白名单鉴权

获取白名单

通过spring MVC拦截器拦截IP

php实现ip白名单黑名单功能

React路由鉴权的实现方法

一步步教会你微信小程序的登录鉴权

聊聊鉴权那些事(推荐)

SpringSecurity动态加载用户角色权限实现登录及鉴权

Node.js 应用：Koa2 使用 JWT 进行鉴权

PHP 限制访问ip白名单

微信公众号如IP白名单在哪里? 微信公众平台ip白名单配置方法

centOS7 下利用iptables配置IP地址白名单的方法

详解nuxt路由鉴权(express模板)

PHP　限制访问ip白名单