zoukankan      html  css  js  c++  java
  • Filter过滤器除去部分URL链接

    在web.xml中配置的Filter如下:

    <filter>
        <filter-name>HazardousParametersFilter</filter-name>
        <filter-class>com.galaxy.apps.common.HazardousParametersFilter</filter-class>
        <init-param>
    	<param-name>ignoreRegex</param-name>
    	<param-value>/upload/mobileUploadPic</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>HazardousParametersFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    

    可以看到url-pattern的设置里面过滤的url规则是/*,如果要把/upload/mobileUploadPic排除在过滤url之外。

    可以结合init-param的初始化参数和HttpServletRequest的getServletPath()方法来判断。

     <init-param>
        <param-name>ignoreRegex</param-name>
        <param-value>/upload/mobileUploadPic</param-value>
     </init-param>
    

    下面是是过滤器HazardousParametersFilter中的具体操作

    package com.galaxy.apps.common;
    
    import java.io.IOException;
    import java.util.Iterator;
    import java.util.Map;
    import java.util.Set;
    
    import javax.servlet.Filter;
    import javax.servlet.FilterChain;
    import javax.servlet.FilterConfig;
    import javax.servlet.ServletException;
    import javax.servlet.ServletRequest;
    import javax.servlet.ServletResponse;
    import javax.servlet.http.HttpServletRequest;
    
    import org.apache.commons.lang3.StringUtils;
    import org.apache.commons.logging.Log;
    import org.apache.commons.logging.LogFactory;
    
    import com.galaxy.apps.utils.HazardousParameterHelper;
    import com.jovtec.galaxy.util.RequestHelper;
    import com.jovtec.galaxy.util.StringHelper;
    
    public class HazardousParametersFilter implements Filter {
    	private static final Log logger = LogFactory.getLog("SecurityLogger");
    
    	private String ignoreRegex;
    	private String[] ignoreRegexArray;
    
    	public String getIgnoreRegex() {
    		return ignoreRegex;
    	}
    
    	public void setIgnoreRegex(String ignoreRegex) {
    		this.ignoreRegex = ignoreRegex;
    	}
    
    	public String[] getIgnoreRegexArray() {
    		return ignoreRegexArray;
    	}
    
    	public void setIgnoreRegexArray(String[] ignoreRegexArray) {
    		this.ignoreRegexArray = ignoreRegexArray;
    	}
    
    	public void init(FilterConfig filterConfig) throws ServletException {
    		ignoreRegex = filterConfig.getInitParameter("ignoreRegex");
    		if (StringUtils.isNotEmpty(ignoreRegex)) {
    			ignoreRegexArray = ignoreRegex.split(",");
    		}
    		return;
    	}
    
    	public void destroy() {
    	}
    
    	public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
    			throws IOException, ServletException {
    		HttpServletRequest request = (HttpServletRequest) servletRequest;
    		String requestURI = request.getRequestURI();
    
    		boolean isExcludedPage = false;
    		for (String page : ignoreRegexArray) {// 判断是否在过滤url之外
    			if (request.getServletPath().equals(page)) {
    				isExcludedPage = true;
    				break;
    			}
    		}
    
    		// 如果得不到URI,或者URI是后台地址,则直接返回
    		if (StringHelper.isEmpty(requestURI) || requestURI.startsWith("/portal/") || isExcludedPage) {
    			filterChain.doFilter(servletRequest, servletResponse);
    			return;
    		}
    
    		// TODO html、shtml如何优化性能?也需要过滤,否则shtml的include无法进入本filter
    		// TODO 忽略ignoreRegex指定的URL,/portal/也应该到这个里面去忽略
    
    		boolean hasHazardous = false;
    		Map pm = servletRequest.getParameterMap();
    		if (pm != null && !pm.isEmpty()) { // 性能优化
    			Set keySet = pm.keySet();
    			for (Iterator iterator = keySet.iterator(); iterator.hasNext();) {
    				String key = (String) iterator.next();
    				String[] values = (String[]) pm.get(key);
    				if (HazardousParameterHelper.hasHazardousChar(values)) {
    					hasHazardous = true;
    					break;
    				}
    			}
    		}
    
    		// 如果有风险字符,则将其转义,记录日志,继续执行程序
    		if (hasHazardous) {
    			logger.info("该URL接收了风险字符参数:" + request.getRequestURL() + ",客户IP:" + request.getRemoteAddr() + ",参数列表:"
    					+ RequestHelper.getParameterMapToString(pm));
    			HazardousRequestWrapper hazReqWrapper = new HazardousRequestWrapper(request);
    			filterChain.doFilter(hazReqWrapper, servletResponse);
    		} else {
    			filterChain.doFilter(servletRequest, servletResponse);
    		}
    	}
    }
    

    完~

  • 相关阅读:
    Java如何滚动几个小时和几个月?
    同步一个 fork
    Push failed: Failed with error: fatal: Could not read from remote repository
    Java NIO AsynchronousFileChannel
    Java NIO Files
    Java NIO Path
    Java NIO vs. IO
    Java NIO Pipe
    Java NIO DatagramChannel
    Java NIO: Non-blocking Server
  • 原文地址:https://www.cnblogs.com/fron/p/filter-20170224.html
Copyright © 2011-2022 走看看