springboot 接口防刷

末蓝、 2022-09-08 14:52 275阅读 0赞

springboot 接口防刷

*****************

接口防刷

刷接口造成的影响

  1. 循环访问接口,会使流量暴增,影响网站的正常对外服务
  2. 如果短信验证、支付接口遭到恶意访问,还会造成企业损失

接口防刷措施

  1. 限制ip访问频率与并发数,可用nignx进行限制
  2. limit_req_zone $binary_remote_addr zone=one:10m rate=20r/s;  #单个ip每秒请求数
  3. limit_conn_zone $binary_remote_addr zone=addr:10m;           #单个ip每秒并发数
  5. 接口添加验证码,如短信接口发送短信前先使用验证码验证
  6. 重要接口在用户认证后才能访问,非认证用户不能访问
  7. 后端对接口限流,限制同一用户访问频率,可使用guavaRedisson提供的限流工具

*****************

示例:**后端接口限流**

***********

配置文件

application.yml

  1. spring:
  2.   redis:
  3.     host: 192.168.57.120
  4.     port: 6379

***********

dto 层

ResponseResult

  1. @Data
  2. public class ResponseResult<T> {
  4.     private String code;
  5.     private String status;
  6.     private String message;
  7.     private T data;
  8. }

***********

annotation 层

RateLimiter

  1. @Documented
  2. @Target(ElementType.METHOD)
  3. @Retention(RetentionPolicy.RUNTIME)
  4. public @interface RateLimiter {
  6.     int userLimit() default 5;
  7.     int ipLimit() default 10;
  8. }

***********

interceptor 层

CustomInterceptor

  1. @Configuration
  2. public class CustomInterceptor implements HandlerInterceptor {
  4.     @Resource
  5.     private RedissonClient client;
  7.     private final ConcurrentHashMap<String,RRateLimiter> map = new ConcurrentHashMap<>();
  9.     @Override
  10.     public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
  11.         if (handler instanceof HandlerMethod){
  12.             Method method = ((HandlerMethod) handler).getMethod();
  14.             Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
  15.             String userName = authentication.getName();
  17.             String path=request.getServletPath();
  18.             if (method.isAnnotationPresent(RateLimiter.class)){
  19.                 RateLimiter rateLimiter = method.getAnnotation(RateLimiter.class);
  21.                 RRateLimiter limiter;
  22.                 if (userName!=null && !userName.equals("anonymousUser")){
  23.                     int userLimit = rateLimiter.userLimit();
  25.                     String key=userName+path+"user-rate-limiter";
  26.                     if (!map.containsKey(key)){
  27.                         limiter = client.getRateLimiter(key);
  28.                         limiter.setRate(RateType.PER_CLIENT,userLimit,1, RateIntervalUnit.MINUTES);
  30.                         map.put(key,limiter);
  31.                     }else {
  32.                         limiter = map.get(key);
  33.                     }
  35.                 }else {
  36.                     int ipLimiter = rateLimiter.ipLimit();
  38.                     String remoteAddr = request.getRemoteAddr();
  39.                     String key=remoteAddr+path+"ip-rate-limiter";
  40.                     if (!map.containsKey(key)){
  41.                         limiter = client.getRateLimiter(key);
  42.                         limiter.setRate(RateType.PER_CLIENT,ipLimiter,1, RateIntervalUnit.MINUTES);
  44.                         map.put(key,limiter);
  45.                     }else {
  46.                         limiter = map.get(key);
  47.                     }
  48.                 }
  50.                 if (limiter.tryAcquire()){
  51.                     return true;
  52.                 }else {
  53.                     throw new RuntimeException("请稍后重试");
  54.                 }
  55.             }
  56.         }
  58.         return true;
  59.     }
  60. }

***********

service 层

CustomUserService

  1. @Service
  2. public class CustomUserService implements UserDetailsService {
  4.     @Resource
  5.     private PasswordEncoder passwordEncoder;
  7.     @Override
  8.     public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
  9.         return new User("gtlx",passwordEncoder.encode("123456"),
  10.                 Collections.singletonList(new SimpleGrantedAuthority("user")));
  11.     }
  12. }

***********

config 层

DataConfig

  1. @Configuration
  2. public class DataConfig {
  4.     @Resource
  5.     private RedisProperties redisProperties;
  7.     @Bean
  8.     public RedissonClient intiRedissonClient(){
  9.         Config config=new Config();
  10.         config.useSingleServer()
  11.                 .setAddress("redis://"+redisProperties.getHost()+":"+redisProperties.getPort());
  13.         return Redisson.create(config);
  14.     }
  15. }

WebConfig

  1. @Configuration
  2. public class WebConfig implements WebMvcConfigurer {
  4.     @Resource
  5.     private CustomInterceptor customInterceptor;
  7.     @Override
  8.     public void addInterceptors(InterceptorRegistry registry) {
  9.         registry.addInterceptor(customInterceptor);
  10.     }
  11. }

WebSecurityConfig

  1. @Configuration
  2. public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  4.     @Resource
  5.     protected UserDetailsService userDetailsService;
  7.     @Override
  8.     protected void configure(AuthenticationManagerBuilder auth) throws Exception {
  9.         auth.userDetailsService(userDetailsService);
  10.     }
  12.     @Override
  13.     protected void configure(HttpSecurity http) throws Exception {
  14.         http.formLogin().and().authorizeRequests()
  15.                 .antMatchers("/hello").authenticated()
  16.                 .anyRequest().permitAll();
  17.     }
  19.     @Bean
  20.     public PasswordEncoder initPasswordEncoder(){
  21.         return new BCryptPasswordEncoder();
  22.     }
  23. }

***********

controller 层

HelloController

  1. @RestController
  2. public class HelloController {
  4.     @RateLimiter(userLimit = 5)
  5.     @RequestMapping("/hello")
  6.     public ResponseResult<String> hello(){
  7.         ResponseResult<String> result=new ResponseResult<>();
  8.         result.setCode("000000");
  9.         result.setStatus("success");
  10.         result.setData("hello");
  12.         return result;
  13.     }
  15.     @RateLimiter()
  16.     @RequestMapping("/hello2")
  17.     public ResponseResult<String> hello2(){
  18.         ResponseResult<String> result=new ResponseResult<>();
  19.         result.setCode("000000");
  20.         result.setStatus("success");
  21.         result.setData("hello2");
  23.         return result;
  24.     }
  26.     @ExceptionHandler
  27.     public ResponseResult<String> handleError(Exception e){
  28.         ResponseResult<String> result=new ResponseResult<>();
  29.         result.setCode("111111");
  30.         result.setStatus("error");
  31.         result.setMessage(e.getMessage());
  33.         return  result;
  34.     }
  35. }

*****************

使用测试

localhost:8080/hello 

  1.                 ![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBAb1_nk5znlLDmnY7kuItfbw_size_9_color_FFFFFF_t_70_g_se_x_16][]

认证通过后,输出

  1.                  ![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBAb1_nk5znlLDmnY7kuItfbw_size_9_color_FFFFFF_t_70_g_se_x_16 1][]

连续点击5次,输出

  1.                  ![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBAb1_nk5znlLDmnY7kuItfbw_size_9_color_FFFFFF_t_70_g_se_x_16 2][]

localhost:8080/hello2(重启应用)

  1.                  ![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBAb1_nk5znlLDmnY7kuItfbw_size_9_color_FFFFFF_t_70_g_se_x_16 3][]

连续点击10次(ip限流),输出

  1.                  ![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBAb1_nk5znlLDmnY7kuItfbw_size_9_color_FFFFFF_t_70_g_se_x_16 4][]

发表评论

表情:
评论列表 (有 0 条评论,275人围观)

还没有评论,来说两句吧...

相关阅读

    相关 SpringBoot API 接口

    顾名思义,想让某个接口某个人在某段时间内只能请求N次。 在项目中比较常见的问题也有,那就是连点按钮导致请求多次,以前在web端有表单重复提交,可以通过token 来解决。

    谁践踏了优雅谁践踏了优雅/ 0/ 173 阅读

    相关 Springboot项目的接口

    说明:使用了注解的方式进行对接口防刷的功能,非常高大上,本文章仅供参考 一,技术要点:springboot的基本知识,redis基本操作,  首先是写一个注解类:

    女爷i女爷i/ 0/ 252 阅读