在web.xml中配置的Filter如下:
<filter> <filter-name>HazardousParametersFilter</filter-name> <filter-class>com.galaxy.apps.common.HazardousParametersFilter</filter-class> <init-param> <param-name>ignoreRegex</param-name> <param-value>/upload/mobileUploadPic</param-value> </init-param> </filter> <filter-mapping> <filter-name>HazardousParametersFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
可以看到url-pattern的设置里面过滤的url规则是/*,如果要把/upload/mobileUploadPic排除在过滤url之外。
可以结合init-param的初始化参数和HttpServletRequest的getServletPath()方法来判断。
<init-param> <param-name>ignoreRegex</param-name> <param-value>/upload/mobileUploadPic</param-value> </init-param>
下面是是过滤器HazardousParametersFilter中的具体操作
package com.galaxy.apps.common; import java.io.IOException; import java.util.Iterator; import java.util.Map; import java.util.Set; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import org.apache.commons.lang3.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import com.galaxy.apps.utils.HazardousParameterHelper; import com.jovtec.galaxy.util.RequestHelper; import com.jovtec.galaxy.util.StringHelper; public class HazardousParametersFilter implements Filter { private static final Log logger = LogFactory.getLog("SecurityLogger"); private String ignoreRegex; private String[] ignoreRegexArray; public String getIgnoreRegex() { return ignoreRegex; } public void setIgnoreRegex(String ignoreRegex) { this.ignoreRegex = ignoreRegex; } public String[] getIgnoreRegexArray() { return ignoreRegexArray; } public void setIgnoreRegexArray(String[] ignoreRegexArray) { this.ignoreRegexArray = ignoreRegexArray; } public void init(FilterConfig filterConfig) throws ServletException { ignoreRegex = filterConfig.getInitParameter("ignoreRegex"); if (StringUtils.isNotEmpty(ignoreRegex)) { ignoreRegexArray = ignoreRegex.split(","); } return; } public void destroy() { } public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) servletRequest; String requestURI = request.getRequestURI(); boolean isExcludedPage = false; for (String page : ignoreRegexArray) {// 判断是否在过滤url之外 if (request.getServletPath().equals(page)) { isExcludedPage = true; break; } } // 如果得不到URI,或者URI是后台地址,则直接返回 if (StringHelper.isEmpty(requestURI) || requestURI.startsWith("/portal/") || isExcludedPage) { filterChain.doFilter(servletRequest, servletResponse); return; } // TODO html、shtml如何优化性能?也需要过滤,否则shtml的include无法进入本filter // TODO 忽略ignoreRegex指定的URL,/portal/也应该到这个里面去忽略 boolean hasHazardous = false; Map pm = servletRequest.getParameterMap(); if (pm != null && !pm.isEmpty()) { // 性能优化 Set keySet = pm.keySet(); for (Iterator iterator = keySet.iterator(); iterator.hasNext();) { String key = (String) iterator.next(); String[] values = (String[]) pm.get(key); if (HazardousParameterHelper.hasHazardousChar(values)) { hasHazardous = true; break; } } } // 如果有风险字符,则将其转义,记录日志,继续执行程序 if (hasHazardous) { logger.info("该URL接收了风险字符参数:" + request.getRequestURL() + ",客户IP:" + request.getRemoteAddr() + ",参数列表:" + RequestHelper.getParameterMapToString(pm)); HazardousRequestWrapper hazReqWrapper = new HazardousRequestWrapper(request); filterChain.doFilter(hazReqWrapper, servletResponse); } else { filterChain.doFilter(servletRequest, servletResponse); } } }
完~