防御CSRF、XSS和SQL注入***
过滤器package cn.bizws.ismp.common.web;
/**
* @author www.bizws.cn Tom
*/
import java.io.File;
import java.io.IOException;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Enumeration;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* 防御CSRF、XSS和SQL注入***
* @author www.bizws.cn Tom
*/
public> private String filterChar;
private String replaceChar;
private String splitChar;
private String writeLog;
private String[] filterChars;
FilterConfig filterConfig = null;
private static DateFormat dateFormat = new SimpleDateFormat("yyyyMMdd");
private static File file;
public void init(FilterConfig filterConfig) throws ServletException {
this.filterChar = filterConfig.getInitParameter("FilterChar");
this.replaceChar = filterConfig.getInitParameter("ReplaceChar");
this.splitChar = filterConfig.getInitParameter("SplitChar");
this.writeLog = filterConfig.getInitParameter("WriteLog"); // 获取是否记录日志的参数
this.filterConfig = filterConfig;
filterChars = filterChar.split(splitChar);
String filePath = filterConfig.getServletContext().getRealPath("")
+ "\\logs\\";
file = new File(filePath);
if (!file.exists()) {
file.mkdirs();
}
filePath += dateFormat.format(new Date()) + ".log";
file = new File(filePath);
try {
if (!file.exists()) {
file.createNewFile();
}
} catch (Exception e) {
e.printStackTrace();
}
}
public void destroy() {
this.filterConfig = null;
}
public void doFilter(ServletRequest request,
ServletResponse servletResponse, FilterChain chain)
throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) servletResponse;
Enumeration enumeration = request.getParameterNames();
while (enumeration.hasMoreElements()) {
String parameterName = enumeration.nextElement();
String parameterValue = request.getParameter(parameterName) == null ? ""
: request.getParameter(parameterName);
if (!parameterValue.equals("")) {
for (int i = 0; i < filterChars.length; i++) {
// if (parameterValue.toLowerCase().trim()
// .startsWith((filterChars.trim())) ||parameterValue.toLowerCase().trim()
// .endsWith((filterChars.trim()))) {
if (parameterValue.toLowerCase().trim()
.indexOf((filterChars.trim()))>-1) {
throw new ServletException("拦截到了SQL注入参数参数名:"
+ parameterName + " 参数值:" + parameterValue);
}
}
}
}
chain.doFilter(new XssHttpServletRequestWrapperV1(
(HttpServletRequest) request, filterChars, file, writeLog,
response), servletResponse);
}
}
在web.xml中对过滤器进行配置
XssFilter
cn.bizws.ismp.common.web.XssFilterV1
SplitChar
@
WriteLog
false
FilterChar
select@insert@delete@update
@from@count@'@drop@table@truncate
@asc@declare@mid@char
@xp_cmdshell@exec@master@localgroup
@administrators@and@net@create user@net
@script@input@form@;
ReplaceChar
XssFilter
*.action
XssFilter
*.jspx
XssFilter
*.htm
XssFilter
*.jsp
页:
[1]