解决方案：

增加一个过滤器，当请求头Referer中包含扫描里的http://bogus.referer.hcl.com时，禁止访问

/*******************************************************************************

* @(#)CSRFilter.java 2020/4/7

*

* Copyright 2020 emrubik Group Ltd. All rights reserved.

* EMRubik PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

*******************************************************************************/

package com.emrubik.emp.uc.portal.common.communicate;

import java.io.IOException;

import javax.servlet.*;

import javax.servlet.http.HttpServletRequest;

import org.slf4j.Logger;

import org.slf4j.LoggerFactory;

/**

* @author hongcq

* @version 1.0 $ 2020/4/7 13:03

*/

public class CsrFilter implements Filter {

/**

* log

*/

private Logger log = LoggerFactory.getLogger(CsrFilter.class);

/**

* referer

*/

private String[] verifyReferer = null;

/**

* Called by the web container to indicate to a filter that it is being placed into service.

*

* The servlet container calls the init method exactly once after instantiating the filter. The init

* method must complete successfully before the filter is asked to do any filtering work.

*

* The web container cannot place the filter into service if the init method either

*

*

Throws a ServletException

*

Does not return within a time period defined by the web container

*

*

* @param filterConfig

* filterConfig

*/

@Override

public void init(FilterConfig filterConfig) throws ServletException {

String referer = filterConfig.getInitParameter("referer");

this.verifyReferer = referer.split(",");

}

/**

* The doFilter method of the Filter is called by the container each time a

* request/response pair is passed through the chain due to a client request for a resource at the

* end of the chain. The FilterChain passed in to this method allows the Filter to pass on the

* request and response to the next entity in the chain.

*

* A typical implementation of this method would follow the following pattern:

*

*

Examine the request

*

Optionally wrap the request object with a custom implementation to filter content or headers

* for input filtering

*

Optionally wrap the response object with a custom implementation to filter content or headers

* for output filtering

*

*

*

Either invoke the next entity in the chain using the FilterChain object

* (chain.doFilter()),

*

or not pass on the request/response pair to the next entity in the filter

* chain to block the request processing

*

*

Directly set headers on the response after invocation of the next entity in the filter chain.

*

*

* @param request

* 请求

* @param response

* 响应

* @param chain

* 链

*/

@Override

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)

throws IOException, ServletException {

String referer = ((HttpServletRequest) request).getHeader("Referer");

boolean b = false;

for (String vReferer : verifyReferer) {

if (null == referer || !referer.trim().equalsIgnoreCase(vReferer)) {

b = true;

chain.doFilter(request, response);

break;

}

}

if (!b) {

log.info("疑似遭到CSRF攻击,referer:" + referer);

}

}

/**

* Called by the web container to indicate to a filter that it is being taken out of service.

*

* This method is only called once all threads within the filter's doFilter method have exited or

* after a timeout period has passed. After the web container calls this method, it will not call

* the doFilter method again on this instance of the filter.

*

* This method gives the filter an opportunity to clean up any resources that are being held (for

* example, memory, file handles, threads) and make sure that any persistent state is synchronized

* with the filter's current state in memory.

*/

@Override

public void destroy() {

}

}

CsrFilter

com.emrubik.emp.uc.portal.common.communicate.CsrFilter

referer

http://bogus.referer.hcl.com

CsrFilter

/*

项目web.xml中增加如上配置

来源：oschina

链接：https://my.oschina.net/u/4170983/blog/3225278