ajax (get方法) 使用base64 加密参数,后台拦截request 统一解密。
1>ajax 统一对参数进行base64加密
$.ajaxSetup({
contentType: "application/x-www-form-urlencoded;charset=utf-8",
beforeSend: function() { //发送前执行的函数
try {
if(arguments[1].type.toLocaleLowerCase()=="get"){
var url = arguments[1].url;
if(url.indexOf("?")){
split = url.split("?");
arguments[1].url = split[0]+"?xssContent="+BASE64.encode(split[1]);
}
}
var params = arguments[1].data; //arguments是一个两个值的数组分别是0和1
} catch(e) {
console.log(e);
//请求方法记录相关日志
}
},
processData: true,
});
2>后台解密
LangFilter.java
public class LangFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
ChangeRequestWrapper changeRequestWrapper = new ChangeRequestWrapper((HttpServletRequest) servletRequest);
Map<String, String[]> parameterMap = new HashMap<>(changeRequestWrapper.getParameterMap());
String[] strings = parameterMap.get("xssContent");
if(!StringUtils.isEmpty(strings)){
String encoder = strings[0];
//解码
String decode = BASE64Util.decode(encoder);
//拆分
if(!StringUtils.isEmpty(decode)){
Map<String, Object> map = MapUtil.formSerializeToMap(decode);
if(!StringUtils.isEmpty(map)){
parameterMap.clear();
for(String keys:map.keySet()){
String[] values = new String[]{map.get(keys)+""};
parameterMap.put(keys,values);
}
}
}
changeRequestWrapper.setParameterMap(parameterMap);
}
//使用复写后的wrapper
filterChain.doFilter(changeRequestWrapper, servletResponse);
}
@Override
public void destroy() {
}
}
ChangeRequestWrapper.java
public class ChangeRequestWrapper extends HttpServletRequestWrapper {
private Map<String, String[]> parameterMap; // 所有参数的Map集合
public ChangeRequestWrapper(HttpServletRequest request) {
super(request);
parameterMap = request.getParameterMap();
}
// 重写几个HttpServletRequestWrapper中的方法
/**
* 获取所有参数名
*
* @return 返回所有参数名
*/
@Override
public Enumeration<String> getParameterNames() {
Vector<String> vector = new Vector<String>(parameterMap.keySet());
return vector.elements();
}
/**
* 获取指定参数名的值,如果有重复的参数名,则返回第一个的值 接收一般变量 ,如text类型
*
* @param name 指定参数名
* @return 指定参数名的值
*/
@Override
public String getParameter(String name) {
String[] results = parameterMap.get(name);
if(!StringUtils.isEmpty(results)){
return results[0];
}
return null;
}
/**
* 获取指定参数名的所有值的数组,如:checkbox的所有数据
* 接收数组变量 ,如checkobx类型
*/
@Override
public String[] getParameterValues(String name) {
return parameterMap.get(name);
}
@Override
public Map<String, String[]> getParameterMap() {
return parameterMap;
}
public void setParameterMap(Map<String, String[]> parameterMap) {
this.parameterMap = parameterMap;
}
}
编写web.xml
<filter> <filter-name>RequestlFilter</filter-name> <filter-class>com.xxxx.xxxx.filter.LangFilter</filter-class> </filter> <filter-mapping> <filter-name>RequestlFilter</filter-name> <url-pattern>*</url-pattern> </filter-mapping>
工具类
Base64 加解密
public final class BASE64Util {
/**
* 采用BASE64算法对字符串进行加密
* @param base 原字符串
* @return 加密后的字符串
*/
public static final String encode(String base){
return BASE64Util.encode(base.getBytes());
}
/**
* 采用BASE64算法对字节数组进行加密
* @param baseBuff 原字节数组
* @return 加密后的字符串
*/
public static final String encode(byte[] baseBuff){
return new BASE64Encoder().encode(baseBuff);
}
/**
* 字符串解密,采用BASE64的算法
* @param encoder 需要解密的字符串
* @return 解密后的字符串
*/
public static final String decode(String encoder){
try {
BASE64Decoder decoder = new BASE64Decoder();
byte[] buf = decoder.decodeBuffer(encoder);
return new String(buf);
} catch (Exception e) {
return null;
}
}
}
MapUtils.java
public class MapUtil {
/** 记录日志 */
private static Logger logger = LoggerFactory.getLogger(MapUtil.class);
/**
* 页面form序列化提交过来的数据转换为Map
* @param args
* @return
*/
public static Map<String, Object> formSerializeToMap(String args){
Map<String, Object> map = new HashMap<String, Object>();
String[] kvs = null;
if(args == null || args.length() == 0){
return map;
}
if(args.contains("&")){
kvs = args.split("&"); //先尝试用&分割
}else{
kvs = args.split("&"); //先尝试用&分割
}
if(kvs.length <= 1){
kvs = args.split("#"); //先尝试用#分割
}
for(String kv : kvs){
if(kv == null || kv.length() == 0){
continue;
}
String[] kvAry = kv.split("=");
if(kvAry.length == 2){
map.put(kvAry[0].trim().replaceAll("\+", ""), kvAry[1].trim().replaceAll("\+", ""));
}
}
return map;
}
/**
* 功能描述: 将Form提交过来的的值全部连接为字符串,不包含URL后面的参数<br>
*
* @param parameterMap 提交过来的全部数据
* @param queryString URL后面的参数
* @return String
*/
public static String getFormAllValues(Map<String, String[]> parameterMap, String queryString) {
if (parameterMap == null || parameterMap.isEmpty()) {
return "";
}
StringBuilder sb = new StringBuilder();
String[] qs = getQueryStringKey(queryString);
boolean hasKey;
for (Map.Entry<String, String[]> entry : parameterMap.entrySet()) {
hasKey = false;
for (String s : qs) {
if (s.equalsIgnoreCase(entry.getKey())) {
hasKey = true;
break;
}
}
if (hasKey) {
continue;
}
if (entry.getValue() != null && entry.getValue().length > 0) {
sb.append(entry.getValue()[0]);
}
}
return sb.toString();
}
/**
* 功能描述: 将queryString中的key取出<br>
* @param queryString
* @return
*/
private static String[] getQueryStringKey(String queryString) {
if (queryString == null || queryString.trim().length() == 0) {
return new String[0];
}
String[] qs = queryString.split("&");
for (int i = 0; i < qs.length; i++) {
qs[i] = qs[i].substring(0, qs[i].indexOf("="));
}
return qs;
}
}