zoukankan      html  css  js  c++  java
  • Filter过滤器除去部分URL链接

    在web.xml中配置的Filter如下:

    <filter>
        <filter-name>HazardousParametersFilter</filter-name>
        <filter-class>com.galaxy.apps.common.HazardousParametersFilter</filter-class>
        <init-param>
    	<param-name>ignoreRegex</param-name>
    	<param-value>/upload/mobileUploadPic</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>HazardousParametersFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    

    可以看到url-pattern的设置里面过滤的url规则是/*,如果要把/upload/mobileUploadPic排除在过滤url之外。

    可以结合init-param的初始化参数和HttpServletRequest的getServletPath()方法来判断。

     <init-param>
        <param-name>ignoreRegex</param-name>
        <param-value>/upload/mobileUploadPic</param-value>
     </init-param>
    

    下面是是过滤器HazardousParametersFilter中的具体操作

    package com.galaxy.apps.common;
    
    import java.io.IOException;
    import java.util.Iterator;
    import java.util.Map;
    import java.util.Set;
    
    import javax.servlet.Filter;
    import javax.servlet.FilterChain;
    import javax.servlet.FilterConfig;
    import javax.servlet.ServletException;
    import javax.servlet.ServletRequest;
    import javax.servlet.ServletResponse;
    import javax.servlet.http.HttpServletRequest;
    
    import org.apache.commons.lang3.StringUtils;
    import org.apache.commons.logging.Log;
    import org.apache.commons.logging.LogFactory;
    
    import com.galaxy.apps.utils.HazardousParameterHelper;
    import com.jovtec.galaxy.util.RequestHelper;
    import com.jovtec.galaxy.util.StringHelper;
    
    public class HazardousParametersFilter implements Filter {
    	private static final Log logger = LogFactory.getLog("SecurityLogger");
    
    	private String ignoreRegex;
    	private String[] ignoreRegexArray;
    
    	public String getIgnoreRegex() {
    		return ignoreRegex;
    	}
    
    	public void setIgnoreRegex(String ignoreRegex) {
    		this.ignoreRegex = ignoreRegex;
    	}
    
    	public String[] getIgnoreRegexArray() {
    		return ignoreRegexArray;
    	}
    
    	public void setIgnoreRegexArray(String[] ignoreRegexArray) {
    		this.ignoreRegexArray = ignoreRegexArray;
    	}
    
    	public void init(FilterConfig filterConfig) throws ServletException {
    		ignoreRegex = filterConfig.getInitParameter("ignoreRegex");
    		if (StringUtils.isNotEmpty(ignoreRegex)) {
    			ignoreRegexArray = ignoreRegex.split(",");
    		}
    		return;
    	}
    
    	public void destroy() {
    	}
    
    	public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
    			throws IOException, ServletException {
    		HttpServletRequest request = (HttpServletRequest) servletRequest;
    		String requestURI = request.getRequestURI();
    
    		boolean isExcludedPage = false;
    		for (String page : ignoreRegexArray) {// 判断是否在过滤url之外
    			if (request.getServletPath().equals(page)) {
    				isExcludedPage = true;
    				break;
    			}
    		}
    
    		// 如果得不到URI,或者URI是后台地址,则直接返回
    		if (StringHelper.isEmpty(requestURI) || requestURI.startsWith("/portal/") || isExcludedPage) {
    			filterChain.doFilter(servletRequest, servletResponse);
    			return;
    		}
    
    		// TODO html、shtml如何优化性能?也需要过滤,否则shtml的include无法进入本filter
    		// TODO 忽略ignoreRegex指定的URL,/portal/也应该到这个里面去忽略
    
    		boolean hasHazardous = false;
    		Map pm = servletRequest.getParameterMap();
    		if (pm != null && !pm.isEmpty()) { // 性能优化
    			Set keySet = pm.keySet();
    			for (Iterator iterator = keySet.iterator(); iterator.hasNext();) {
    				String key = (String) iterator.next();
    				String[] values = (String[]) pm.get(key);
    				if (HazardousParameterHelper.hasHazardousChar(values)) {
    					hasHazardous = true;
    					break;
    				}
    			}
    		}
    
    		// 如果有风险字符,则将其转义,记录日志,继续执行程序
    		if (hasHazardous) {
    			logger.info("该URL接收了风险字符参数:" + request.getRequestURL() + ",客户IP:" + request.getRemoteAddr() + ",参数列表:"
    					+ RequestHelper.getParameterMapToString(pm));
    			HazardousRequestWrapper hazReqWrapper = new HazardousRequestWrapper(request);
    			filterChain.doFilter(hazReqWrapper, servletResponse);
    		} else {
    			filterChain.doFilter(servletRequest, servletResponse);
    		}
    	}
    }
    

    完~

  • 相关阅读:
    保持唯一性,请停止使用【python3 内置hash() 函数】
    彻底解决go get golang.org/x等包失败与VSCode golang插件安装失败问题
    Linux 任务后台运行软件【即:终端复用器】之---screen
    Ubuntu+uWSGI部署基于Django的API【鸿篇巨制,事无巨细】
    python慎用os.getcwd() ,除非你知道【文件路径与当前工作路径的区别】
    win下youtube-dl 【ERROR: requested format not available】选下载视频质量的坑--【值得一看】
    Mysql失败,异常pymysql.err.InternalError: (1366, "Incorrect string value: '\xF0\x9D\x90\xBF;......
    scrapy post payload的坑及相关知识的补充【POST传参方式的说明及scrapy和requests实现】
    mitmproxy--Cannot establish TLS with client (sni: e.crashlytics.com): TlsException("(-1, 'Unexpected EOF')",) 解决办法
    【GET TIPS】Chrome所见即所得的截图技巧
  • 原文地址:https://www.cnblogs.com/fron/p/filter-20170224.html
Copyright © 2011-2022 走看看