SpringMVC 过滤参数的非法字符
2016-06-21 15:03
369 查看
package com.oozero.nmshop.system.filter;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.web.filter.OncePerRequestFilter;
import com.oozero.nmshop.system.pojo.Employee;
import com.oozero.nmshop.system.util.JNConstant;
public class LoginSessionFilter extends OncePerRequestFilter {
private static final String[] ignores = new String[] { "/login.jsp", "resources", "base/user/login", "menu/init",
"/system/loginStatistics/addString", "mutilUpload" };
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException {
request = new Request((HttpServletRequest) request);
response.setHeader("Set-Cookie", "name=value; HttpOnly");
String referer = request.getHeader("Referer"); // REFRESH
if (referer != null && referer.indexOf(request.getContextPath()) < 0) {
HttpServletResponse servletResponse = (HttpServletResponse) response;
HttpServletRequest servletRequest = (HttpServletRequest) request;
servletResponse.sendRedirect(servletRequest.getContextPath() + "/error.jsp");
} else {
// 获得在下面代码中要用的request,response,session对象
HttpServletRequest servletRequest = (HttpServletRequest) request;
HttpServletResponse servletResponse = (HttpServletResponse) response;
HttpSession session = servletRequest.getSession();
Employee employee = (Employee) session.getAttribute(JNConstant.LOGIN_SESSION);
String path = servletRequest.getRequestURI();
if (employee != null) {
chain.doFilter(servletRequest, servletResponse);
return;
}
// 登陆页面无需过滤
for (String s : ignores) {
if (path.indexOf(s) > -1) {
chain.doFilter(servletRequest, servletResponse);
return;
}
}
// 判断如果没有取到员工信息,就跳转到登陆页面
if (employee == null && (path.indexOf("admin") > -1 || path.indexOf("system") > -1)) {
String queryString="";
if(request.getQueryString()!=null){
queryString="?"+request.getQueryString();
}
// 跳转到登陆页面
servletResponse.sendRedirect(servletRequest.getContextPath() + "/login.jsp?url=http://"
+ servletRequest.getHeader("host") + path + queryString);
} else {
// 已经登陆,继续此次请求
chain.doFilter(request, response);
}
}
}
public String filterDangerString(String value) {
if (value == null) {
return null;
}
value = value.replaceAll("\\|", "");
value = value.replaceAll("&", "&");
value = value.replaceAll(";", "");
value = value.replaceAll("@", "");
value = value.replaceAll("'", "");
value = value.replaceAll(""", "");
value = value.replaceAll("\\'", "");
value = value.replaceAll("\\"", "");
value = value.replaceAll("<", "<");
value = value.replaceAll(">", ">");
value = value.replaceAll("\\(", "");
value = value.replaceAll("\\)", "");
value = value.replaceAll("\\+", "");
value = value.replaceAll("\r", "");
value = value.replaceAll("\n", "");
value = value.replaceAll("script", "");
value = value.replaceAll("'", "");
value = value.replaceAll(""", "");
value = value.replaceAll(">", "");
value = value.replaceAll("<", "");
value = value.replaceAll("=", "");
value = value.replaceAll("/", "");
return value;
}
class Request extends HttpServletRequestWrapper {
public Request(HttpServletRequest request) {
super(request);
}
@Override
public String getParameter(String name) {
// 返回值之前 先进行过滤
return filterDangerString(super.getParameter(name));
}
@Override
public String[] getParameterValues(String name) {
// 返回值之前 先进行过滤
String[] values = super.getParameterValues(name);
for (int i = 0; i < values.length; i++) {
values[i] = filterDangerString(values[i]);
}
return values;
}
}
}
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.web.filter.OncePerRequestFilter;
import com.oozero.nmshop.system.pojo.Employee;
import com.oozero.nmshop.system.util.JNConstant;
public class LoginSessionFilter extends OncePerRequestFilter {
private static final String[] ignores = new String[] { "/login.jsp", "resources", "base/user/login", "menu/init",
"/system/loginStatistics/addString", "mutilUpload" };
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException {
request = new Request((HttpServletRequest) request);
response.setHeader("Set-Cookie", "name=value; HttpOnly");
String referer = request.getHeader("Referer"); // REFRESH
if (referer != null && referer.indexOf(request.getContextPath()) < 0) {
HttpServletResponse servletResponse = (HttpServletResponse) response;
HttpServletRequest servletRequest = (HttpServletRequest) request;
servletResponse.sendRedirect(servletRequest.getContextPath() + "/error.jsp");
} else {
// 获得在下面代码中要用的request,response,session对象
HttpServletRequest servletRequest = (HttpServletRequest) request;
HttpServletResponse servletResponse = (HttpServletResponse) response;
HttpSession session = servletRequest.getSession();
Employee employee = (Employee) session.getAttribute(JNConstant.LOGIN_SESSION);
String path = servletRequest.getRequestURI();
if (employee != null) {
chain.doFilter(servletRequest, servletResponse);
return;
}
// 登陆页面无需过滤
for (String s : ignores) {
if (path.indexOf(s) > -1) {
chain.doFilter(servletRequest, servletResponse);
return;
}
}
// 判断如果没有取到员工信息,就跳转到登陆页面
if (employee == null && (path.indexOf("admin") > -1 || path.indexOf("system") > -1)) {
String queryString="";
if(request.getQueryString()!=null){
queryString="?"+request.getQueryString();
}
// 跳转到登陆页面
servletResponse.sendRedirect(servletRequest.getContextPath() + "/login.jsp?url=http://"
+ servletRequest.getHeader("host") + path + queryString);
} else {
// 已经登陆,继续此次请求
chain.doFilter(request, response);
}
}
}
public String filterDangerString(String value) {
if (value == null) {
return null;
}
value = value.replaceAll("\\|", "");
value = value.replaceAll("&", "&");
value = value.replaceAll(";", "");
value = value.replaceAll("@", "");
value = value.replaceAll("'", "");
value = value.replaceAll(""", "");
value = value.replaceAll("\\'", "");
value = value.replaceAll("\\"", "");
value = value.replaceAll("<", "<");
value = value.replaceAll(">", ">");
value = value.replaceAll("\\(", "");
value = value.replaceAll("\\)", "");
value = value.replaceAll("\\+", "");
value = value.replaceAll("\r", "");
value = value.replaceAll("\n", "");
value = value.replaceAll("script", "");
value = value.replaceAll("'", "");
value = value.replaceAll(""", "");
value = value.replaceAll(">", "");
value = value.replaceAll("<", "");
value = value.replaceAll("=", "");
value = value.replaceAll("/", "");
return value;
}
class Request extends HttpServletRequestWrapper {
public Request(HttpServletRequest request) {
super(request);
}
@Override
public String getParameter(String name) {
// 返回值之前 先进行过滤
return filterDangerString(super.getParameter(name));
}
@Override
public String[] getParameterValues(String name) {
// 返回值之前 先进行过滤
String[] values = super.getParameterValues(name);
for (int i = 0; i < values.length; i++) {
values[i] = filterDangerString(values[i]);
}
return values;
}
}
}
相关文章推荐
- SpringMVC整合mybatis实例代码
- Spring MVC--拦截器实现和用户登陆例子
- SpringMVC源码解读之HandlerMapping - AbstractUrlHandlerMapping系列request分发
- 使用jQuery.form.js/springmvc框架实现文件上传功能
- jquery.form.js框架实现文件上传功能案例解析(springmvc)
- Java简单实现SpringMVC+MyBatis分页插件
- SpringMVC文件上传 多文件上传实例
- SpringMVC restful 注解之@RequestBody进行json与object转换
- SpringMVC源码解读之HandlerMapping
- spring mvc4的日期/数字格式化、枚举转换示例
- SpringMVC源码解读之 HandlerMapping - AbstractDetectingUrlHandlerMapping系列初始化
- 解决springmvc+mybatis+mysql中文乱码问题
- SpringMVC上传图片与访问
- Eclipse 使用Maven构建SpringMVC项目
- SpringMVC文件上传的配置实例详解
- springMVC配置环境实现文件上传和下载
- SpringMVC入门小程序 -- Myeclipse 9.1下
- SpringMVC+Spring3+Hibernate4
- SpringMVC+MyBatis项目总结(一)
- SpringMVC+MyBatis项目总结(三)