防御CSRF、XSS和SQL注入攻击

过滤器

package cn.bizws.ismp.common.web;

/**
* @author www.bizws.cn Tom
*/
import java.io.File;
import java.io.IOException;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Enumeration;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* 防御CSRF、XSS和SQL注入攻击
* @author www.bizws.cn Tom
*/
public class XssFilterV1 implements Filter {
private String filterChar;
private String replaceChar;
private String splitChar;
private String writeLog;
private String[] filterChars;
FilterConfig filterConfig = null;
private static DateFormat dateFormat = new SimpleDateFormat("yyyyMMdd");
private static File file;

public void init(FilterConfig filterConfig) throws ServletException {
this.filterChar = filterConfig.getInitParameter("FilterChar");
this.replaceChar = filterConfig.getInitParameter("ReplaceChar");
this.splitChar = filterConfig.getInitParameter("SplitChar");
this.writeLog = filterConfig.getInitParameter("WriteLog"); // 获取是否记录日志的参数
this.filterConfig = filterConfig;
filterChars = filterChar.split(splitChar);
String filePath = filterConfig.getServletContext().getRealPath("")
+ "\\logs\\";
file = new File(filePath);
if (!file.exists()) {
file.mkdirs();
}
filePath += dateFormat.format(new Date()) + ".log";
file = new File(filePath);
try {
if (!file.exists()) {
file.createNewFile();
}
} catch (Exception e) {
e.printStackTrace();
}

}

public void destroy() {
this.filterConfig = null;
}

public void doFilter(ServletRequest request,
ServletResponse servletResponse, FilterChain chain)
throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) servletResponse;
Enumeration<String> enumeration = request.getParameterNames();
while (enumeration.hasMoreElements()) {
String parameterName = enumeration.nextElement();
String parameterValue = request.getParameter(parameterName) == null ? ""
: request.getParameter(parameterName);
if (!parameterValue.equals("")) {
for (int i = 0; i < filterChars.length; i++) {
// if (parameterValue.toLowerCase().trim()
// .startsWith((filterChars[i].trim())) || parameterValue.toLowerCase().trim()
// .endsWith((filterChars[i].trim()))) {
if (parameterValue.toLowerCase().trim()
.indexOf((filterChars[i].trim()))>-1) {
throw new ServletException("拦截到了ＳＱＬ注入参数 参数名："
+ parameterName + " 参数值：" + parameterValue);
}
}
}
}
chain.doFilter(new XssHttpServletRequestWrapperV1(
(HttpServletRequest) request, filterChars, file, writeLog,
response), servletResponse);
}
}

在web.xml中对过滤器进行配置

<filter>
<filter-name>XssFilter</filter-name>
<filter-class>cn.bizws.ismp.common.web.XssFilterV1</filter-class>
<init-param>
<param-name>SplitChar</param-name>
<param-value>@</param-value>
</init-param>
<init-param>
<param-name>WriteLog</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>FilterChar</param-name>
<param-value>
select@insert@delete@update
@from@count@'@drop@table@truncate
@asc@declare@mid@char
@xp_cmdshell@exec@master@localgroup
@administrators@and@net@create user@net
@script@input@form@;
</param-value>
</init-param>
<init-param>
<param-name>ReplaceChar</param-name>
<param-value></param-value>
</init-param>
</filter>

<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>*.action</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>*.jspx</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>*.htm</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>