nbsp;今天系統使用IBM的安全漏洞掃描工具掃描出一堆漏洞,下面的filter主要是解決防止SQL注入和XSS攻擊
一個是Filter負責將請求的request包裝一下。
一個是request包裝器,負責過濾掉非法的字元。
將這個過濾器配置上以後,世界總算清淨多了。。
程式碼如下:
import java。io。IOException;import javax。servlet。Filter;import javax。servlet。FilterChain;import javax。servlet。FilterConfig;import javax。servlet。ServletException;import javax。servlet。ServletRequest;import javax。servlet。ServletResponse;import javax。servlet。http。HttpServletRequest;/** * {@link CharLimitFilter} * * 攔截防止sql注入 * * @author Administrator */public class XssFilter implements Filter { /* (non-Javadoc) * @see javax。servlet。Filter#doFilter(javax。servlet。ServletRequest, javax。servlet。ServletResponse, javax。servlet。FilterChain) */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper( (HttpServletRequest) request); filterChain。doFilter(xssRequest, response); }}
包裝器:
/** * {@link XssHttpServletRequestWrapper} * * TODO : document me * * @author Administrator */public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { HttpServletRequest orgRequest = null; public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); orgRequest = request; } /** * 覆蓋getParameter方法,將引數名和引數值都做xss過濾。
* 如果需要獲得原始的值,則透過super。getParameterValues(name)來獲取
* getParameterNames,getParameterValues和getParameterMap也可能需要覆蓋 */ @Override public String getParameter(String name) { String value = super。getParameter(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } /** * 覆蓋getHeader方法,將引數名和引數值都做xss過濾。
* 如果需要獲得原始的值,則透過super。getHeaders(name)來獲取
* getHeaderNames 也可能需要覆蓋 */ @Override public String getHeader(String name) { String value = super。getHeader(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } /** * 將容易引起xss漏洞的半形字元直接替換成全形字元 * * @param s * @return */ private static String xssEncode(String s) { if (s == null || “”。equals(s)) { return s; } StringBuilder sb = new StringBuilder(s。length() + 16); for (int i = 0; i < s。length(); i++) { char c = s。charAt(i); switch (c) { case ‘>’: sb。append(‘>’);//全形大於號 break; case ‘<’: sb。append(‘<’);//全形小於號 break; case ‘\’‘: sb。append(’‘‘);//全形單引號 break; case ’\“‘: sb。append(’“‘);//全形雙引號 break; case ’&‘: sb。append(’&‘);//全形 break; case ’\\‘: sb。append(’\‘);//全形斜線 break; case ’#‘: sb。append(’#‘);//全形井號 break; default: sb。append(c); break; } } return sb。toString(); } /** * 獲取最原始的request * * @return */ public HttpServletRequest getOrgRequest() { return orgRequest; } /** * 獲取最原始的request的靜態方法 * * @return */ public static HttpServletRequest getOrgRequest(HttpServletRequest req) { if (req instanceof XssHttpServletRequestWrapper) { return ((XssHttpServletRequestWrapper) req)。getOrgRequest(); } return req; }}
