nbsp;今天系统使用IBM的安全漏洞扫描工具扫描出一堆漏洞,下面的filter主要是解决防止SQL注入和XSS攻击
一个是Filter负责将请求的request包装一下。
一个是request包装器,负责过滤掉非法的字符。
将这个过滤器配置上以后,世界总算清净多了。。
代码如下:
import java.io.IOException;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;/*** <code>{@link CharLimitFilter}</code>** 拦截防止sql注入** @author Administrator*/public class XssFilter implements Filter {/* (non-Javadoc)* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)*/public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException,ServletException {XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request);filterChain.doFilter(xssRequest, response);}}
包装器:
/*** <code>{@link XssHttpServletRequestWrapper}</code>** TODO : document me** @author Administrator*/public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {HttpServletRequest orgRequest = null;public XssHttpServletRequestWrapper(HttpServletRequest request) {super(request);orgRequest = request;}/*** 覆盖getParameter方法,将参数名和参数值都做xss过滤。<br/>* 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br/>* getParameterNames,getParameterValues和getParameterMap也可能需要覆盖*/@Overridepublic String getParameter(String name) {String value = super.getParameter(xssEncode(name));if (value != null) {value = xssEncode(value);}return value;}/*** 覆盖getHeader方法,将参数名和参数值都做xss过滤。<br/>* 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br/>* getHeaderNames 也可能需要覆盖*/@Overridepublic String getHeader(String name) {String value = super.getHeader(xssEncode(name));if (value != null) {value = xssEncode(value);}return value;}/*** 将容易引起xss漏洞的半角字符直接替换成全角字符** @param s* @return*/private static String xssEncode(String s) {if (s == null || "".equals(s)) {return s;}StringBuilder sb = new StringBuilder(s.length() + 16);for (int i = 0; i < s.length(); i++) {char c = s.charAt(i);switch (c) {case '>':sb.append('>');//全角大于号break;case '<':sb.append('<');//全角小于号break;case '\'':sb.append('‘');//全角单引号break;case '\"':sb.append('“');//全角双引号break;case '&':sb.append('&');//全角break;case '\\':sb.append('\');//全角斜线break;case '#':sb.append('#');//全角井号break;default:sb.append(c);break;}}return sb.toString();}/*** 获取最原始的request** @return*/public HttpServletRequest getOrgRequest() {return orgRequest;}/*** 获取最原始的request的静态方法** @return*/public static HttpServletRequest getOrgRequest(HttpServletRequest req) {if (req instanceof XssHttpServletRequestWrapper) {return ((XssHttpServletRequestWrapper) req).getOrgRequest();}return req;}}
