在web.xml中配置的Filter如下:
<filter>
<filter-name>HazardousParametersFilter</filter-name>
<filter-class>com.galaxy.apps.common.HazardousParametersFilter</filter-class>
<init-param>
<param-name>ignoreRegex</param-name>
<param-value>/upload/mobileUploadPic</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>HazardousParametersFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
可以看到url-pattern的设置里面过滤的url规则是/*,如果要把/upload/mobileUploadPic排除在过滤url之外。
可以结合init-param的初始化参数和HttpServletRequest的getServletPath()方法来判断。
<init-param>
<param-name>ignoreRegex</param-name>
<param-value>/upload/mobileUploadPic</param-value>
</init-param>
下面是是过滤器HazardousParametersFilter中的具体操作
package com.galaxy.apps.common;
import java.io.IOException;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import com.galaxy.apps.utils.HazardousParameterHelper;
import com.jovtec.galaxy.util.RequestHelper;
import com.jovtec.galaxy.util.StringHelper;
public class HazardousParametersFilter implements Filter {
private static final Log logger = LogFactory.getLog("SecurityLogger");
private String ignoreRegex;
private String[] ignoreRegexArray;
public String getIgnoreRegex() {
return ignoreRegex;
}
public void setIgnoreRegex(String ignoreRegex) {
this.ignoreRegex = ignoreRegex;
}
public String[] getIgnoreRegexArray() {
return ignoreRegexArray;
}
public void setIgnoreRegexArray(String[] ignoreRegexArray) {
this.ignoreRegexArray = ignoreRegexArray;
}
public void init(FilterConfig filterConfig) throws ServletException {
ignoreRegex = filterConfig.getInitParameter("ignoreRegex");
if (StringUtils.isNotEmpty(ignoreRegex)) {
ignoreRegexArray = ignoreRegex.split(",");
}
return;
}
public void destroy() {
}
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
String requestURI = request.getRequestURI();
boolean isExcludedPage = false;
for (String page : ignoreRegexArray) {// 判断是否在过滤url之外
if (request.getServletPath().equals(page)) {
isExcludedPage = true;
break;
}
}
// 如果得不到URI,或者URI是后台地址,则直接返回
if (StringHelper.isEmpty(requestURI) || requestURI.startsWith("/portal/") || isExcludedPage) {
filterChain.doFilter(servletRequest, servletResponse);
return;
}
// TODO html、shtml如何优化性能?也需要过滤,否则shtml的include无法进入本filter
// TODO 忽略ignoreRegex指定的URL,/portal/也应该到这个里面去忽略
boolean hasHazardous = false;
Map pm = servletRequest.getParameterMap();
if (pm != null && !pm.isEmpty()) { // 性能优化
Set keySet = pm.keySet();
for (Iterator iterator = keySet.iterator(); iterator.hasNext();) {
String key = (String) iterator.next();
String[] values = (String[]) pm.get(key);
if (HazardousParameterHelper.hasHazardousChar(values)) {
hasHazardous = true;
break;
}
}
}
// 如果有风险字符,则将其转义,记录日志,继续执行程序
if (hasHazardous) {
logger.info("该URL接收了风险字符参数:" + request.getRequestURL() + ",客户IP:" + request.getRemoteAddr() + ",参数列表:"
+ RequestHelper.getParameterMapToString(pm));
HazardousRequestWrapper hazReqWrapper = new HazardousRequestWrapper(request);
filterChain.doFilter(hazReqWrapper, servletResponse);
} else {
filterChain.doFilter(servletRequest, servletResponse);
}
}
}
完~