過濾器

package cn.bizws.ismp.common.web;

/**
?* @author www.bizws.cn Tom
?*/
import java.io.File;
import java.io.IOException;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Enumeration;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
?* 防御CSRF、XSS和SQL注入***
?* @author www.bizws.cn Tom
?*/
public class XssFilterV1 implements Filter {
?? ?private String filterChar;
?? ?private String replaceChar;
?? ?private String splitChar;
?? ?private String writeLog;
?? ?private String[] filterChars;
?? ?FilterConfig filterConfig = null;
?? ?private static DateFormat dateFormat = new SimpleDateFormat("yyyyMMdd");
?? ?private static File file;

?? ?public void init(FilterConfig filterConfig) throws ServletException {
?? ??? ?this.filterChar = filterConfig.getInitParameter("FilterChar");
?? ??? ?this.replaceChar = filterConfig.getInitParameter("ReplaceChar");
?? ??? ?this.splitChar = filterConfig.getInitParameter("SplitChar");
?? ??? ?this.writeLog = filterConfig.getInitParameter("WriteLog"); // 獲取是否記錄日志的參數
?? ??? ?this.filterConfig = filterConfig;
?? ??? ?filterChars = filterChar.split(splitChar);
?? ??? ?String filePath = filterConfig.getServletContext().getRealPath("")
?? ??? ??? ??? ?+ "\\logs\\";
?? ??? ?file = new File(filePath);
?? ??? ?if (!file.exists()) {
?? ??? ??? ?file.mkdirs();
?? ??? ?}
?? ??? ?filePath += dateFormat.format(new Date()) + ".log";
?? ??? ?file = new File(filePath);
?? ??? ?try {
?? ??? ??? ?if (!file.exists()) {
?? ??? ??? ??? ?file.createNewFile();
?? ??? ??? ?}
?? ??? ?} catch (Exception e) {
?? ??? ??? ?e.printStackTrace();
?? ??? ?}

?? ?}

?? ?public void destroy() {
?? ??? ?this.filterConfig = null;
?? ?}

?? ?public void doFilter(ServletRequest request,
?? ??? ??? ?ServletResponse servletResponse, FilterChain chain)
?? ??? ??? ?throws IOException, ServletException {
?? ??? ?HttpServletResponse response = (HttpServletResponse) servletResponse;
?? ??? ?Enumeration<String> enumeration = request.getParameterNames();
?? ??? ?while (enumeration.hasMoreElements()) {
?? ??? ??? ?String parameterName = enumeration.nextElement();
?? ??? ??? ?String parameterValue = request.getParameter(parameterName) == null ? ""
?? ??? ??? ??? ??? ?: request.getParameter(parameterName);
?? ??? ??? ?if (!parameterValue.equals("")) {
?? ??? ??? ??? ?for (int i = 0; i < filterChars.length; i++) {
//?? ??? ??? ??? ??? ?if (parameterValue.toLowerCase().trim()
//?? ??? ??? ??? ??? ??? ??? ?.startsWith((filterChars[i].trim())) ||? parameterValue.toLowerCase().trim()
//?? ??? ??? ??? ??? ??? ??? ?.endsWith((filterChars[i].trim()))) {
?? ??? ??? ??? ??? ?if (parameterValue.toLowerCase().trim()
?? ??? ??? ??? ??? ??? ??? ?.indexOf((filterChars[i].trim()))>-1) {
?? ??? ??? ??? ??? ??? ?throw new ServletException("攔截到了ＳＱＬ注入參數? 參數名："
?? ??? ??? ??? ??? ??? ??? ??? ?+ parameterName + " 參數值：" + parameterValue);
?? ??? ??? ??? ??? ?}
?? ??? ??? ??? ?}
?? ??? ??? ?}
?? ??? ?}
?? ??? ?chain.doFilter(new XssHttpServletRequestWrapperV1(
?? ??? ??? ??? ?(HttpServletRequest) request, filterChars, file, writeLog,
?? ??? ??? ??? ?response), servletResponse);
?? ?}
}

在web.xml中對過濾器進行配置

<filter>
??? <filter-name>XssFilter</filter-name>
??? <filter-class>cn.bizws.ismp.common.web.XssFilterV1</filter-class>
??? <init-param>
????? <param-name>SplitChar</param-name>
????? <param-value>@</param-value>
??? </init-param>
??? <init-param>
????? <param-name>WriteLog</param-name>
????? <param-value>false</param-value>
??? </init-param>
??? <init-param>
????? <param-name>FilterChar</param-name>
????? <param-value>

select@insert@delete@update

@from@count@'@drop@table@truncate

@asc@declare@mid@char

@xp_cmdshell@exec@master@localgroup

@administrators@and@net@create user@net

@script@input@form@;

</param-value>
??? </init-param>
??? <init-param>
????? <param-name>ReplaceChar</param-name>
????? <param-value></param-value>
??? </init-param>
? </filter>

?<filter-mapping>
??? <filter-name>XssFilter</filter-name>
??? <url-pattern>*.action</url-pattern>
? </filter-mapping>
? <filter-mapping>
??? <filter-name>XssFilter</filter-name>
??? <url-pattern>*.jspx</url-pattern>
? </filter-mapping>
? <filter-mapping>
??? <filter-name>XssFilter</filter-name>
??? <url-pattern>*.htm</url-pattern>
? </filter-mapping>
? <filter-mapping>
??? <filter-name>XssFilter</filter-name>
??? <url-pattern>*.jsp</url-pattern>
? </filter-mapping>

轉載于:https://blog.51cto.com/xuliangjun/1550244

新人創作打卡挑戰賽發博客就能抽獎！定制產品紅包拿不停！

總結

以上是生活随笔為你收集整理的防御CSRF、XSS和SQL注入***的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。