写了个XssFilter,然后包装了HttpServletRequestWrapper,但是继承的getParameter和getParameterValues不起作用

xjcyxyx 发布于 2016/05/19 10:01
阅读 1K+
收藏 0

1、Web.xml配置


<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
         version="3.1">

    <welcome-file-list>
        <welcome-file>/index.jsp</welcome-file>
    </welcome-file-list>
    <error-page>
        <error-code>404</error-code>
        <location>/error.jsp</location>
    </error-page>

    <!--指定spring配置文件位置-->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>classpath*:conf/spring/*.xml</param-value>
    </context-param>

    <!--定义spring监听器,加载spring-->
    <!--自动装载ApplicationContext配置信息-->
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <!--防止内存泄漏-->
    <listener>
        <listener-class>org.springframework.web.util.IntrospectorCleanupListener</listener-class>
    </listener>
    <!---->
    <listener>
        <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
    </listener>

    <!--使用spring的编码转换过滤器,将请求信息的编码统一转换为UTF-8,以避免中文乱码问题-->
    <filter>
        <filter-name>encodingFilter</filter-name>
        <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
        <!--是否支持异步,默认为false-->
        <async-supported>true</async-supported>
        <init-param>
            <param-name>encoding</param-name>
            <param-value>UTF-8</param-value>
        </init-param>
        <init-param>
            <param-name>forceEncoding</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>encodingFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <!--druid 数据源,用于采集 web-jdbc 关联监控的数-->
    <filter>
        <filter-name>WebStatFilter</filter-name>
        <filter-class>com.alibaba.druid.support.http.WebStatFilter</filter-class>
        <init-param>
            <param-name>exclusions</param-name>
            <param-value>*.js,*.gif,*.jpg,*.png,*.css,*.ico,/druid/*</param-value>
        </init-param>
        <init-param>
            <param-name>profileEnable</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>WebStatFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <!--防止xss攻击-->
    <filter>
        <filter-name>XssFilter</filter-name>
        <filter-class>com.xujincai.filter.XssFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>XssFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <!--session拦截器-->
    <!--<filter>-->
    <!--<filter-name>SessionFilter</filter-name>-->
    <!--<filter-class>com.xujincai.filter.SessionFilter</filter-class>-->
    <!--</filter>-->
    <!--<filter-mapping>-->
    <!--<filter-name>SessionFilter</filter-name>-->
    <!--<url-pattern>*.html</url-pattern>-->
    <!--</filter-mapping>-->
    <!--配置session失效时间,单位为分钟-->
    <!--<session-config>-->
    <!--<session-timeout>10</session-timeout>-->
    <!--</session-config>-->

    <servlet>
        <servlet-name>wechat</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <async-supported>true</async-supported>
    </servlet>
    <servlet-mapping>
        <servlet-name>wechat</servlet-name>
        <url-pattern>*.html</url-pattern>
    </servlet-mapping>

    <servlet>
        <servlet-name>WechatServlet</servlet-name>
        <servlet-class>com.xujincai.servlet.WechatServlet</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>WechatServlet</servlet-name>
        <url-pattern>/WechatServlet</url-pattern>
    </servlet-mapping>

    <servlet>
        <servlet-name>DruidStatView</servlet-name>
        <servlet-class>com.alibaba.druid.support.http.StatViewServlet</servlet-class>
        <init-param>
            <param-name>loginUsername</param-name>
            <param-value>root</param-value>
        </init-param>
        <init-param>
            <param-name>loginPassword</param-name>
            <param-value>123456</param-value>
        </init-param>
    </servlet>
    <servlet-mapping>
        <servlet-name>DruidStatView</servlet-name>
        <url-pattern>/druid/*</url-pattern>
    </servlet-mapping>

    <servlet>
        <servlet-name>OAuthServlet</servlet-name>
        <servlet-class>com.xujincai.servlet.OAuthServlet</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>OAuthServlet</servlet-name>
        <url-pattern>/OAuthServlet</url-pattern>
    </servlet-mapping>

</web-app>

2、XssFilter


package com.xujincai.filter;

import com.xujincai.wrapper.XssHttpServletRequestWrapper;

import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;

/**
 * Created by on 2016/5/18.
 */
@WebFilter(filterName = "XssFilter")
public class XssFilter implements Filter {
    public void destroy() {
    }

    public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws ServletException, IOException {
        chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) req), resp);
    }

    public void init(FilterConfig config) throws ServletException {

    }

}



3、XssHttpServletRequestWrapper



package com.xujincai.wrapper;

import org.apache.commons.lang3.StringUtils;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

/**
 * Created by on 2016/5/18.
 */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    public XssHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
    }

    @Override
    public String getHeader(String name) {
        System.out.println("getHeader");
        return processXss(super.getHeader(name));
    }

    @Override
    public String getParameter(String name) {
        System.out.println("getParameter");
        return processXss(super.getParameter(name));
    }

    @Override
    public String[] getParameterValues(String name) {
        System.out.println("getParameterValues");
        String[] values = super.getParameterValues(name);
        String[] newValues = new String[values.length];
        for(int i = 0; i < values.length; i++){
            newValues[i] = values[i];
        }
        return newValues;
    }

    /**
     * 处理字符转义
     * @param value
     * @return
     */
    private String  processXss(String value){
        if(value == null || StringUtils.equals("", value)){
            return value;
        }
        value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
        return value;
    }
}



4、在浏览器直接输入localhost:8080/wechat/test.html?abc=abc测试


后台打印出来的日志为

只输出了getHeader,而getParameter和getParameterValues都没打印出来,说明两个方法根本就没进入,我debug调试也是如此,没有进入。

为什么,请大神指点。先谢为上。


加载中
0
雨宫修平
雨宫修平

你没调用,怎么会进去。

你在你的Control层随便写个getParameter('xxx');就好了。

就是相当重写request里面的方法而已。

雨宫修平
雨宫修平
回复 @首席龍魂 : 你试试就知道了。我以前写过这个。
xjcyxyx
xjcyxyx
不应该吧,你的意思要在Controller中调用重写方法,那样的话filter还有什么意义呢,并且,getHeader方法也木有调用,怎么会进去呢,按理说getParameter、getParameterValues应该和getHeader一样的处理机制吧。
0
aways
aways


当你的Controller 里面执行 req.getParameter("abc") 就会执行到 XssHttpServletRequestWrapper 的getParameter 方法。因为你重写HttpServletRequestWrapper 这个类 下面的方法。

可以看下基础:http://www.runoob.com/java/java-override-overload.html(java 重写和重载)

返回顶部
顶部