java Filter 并发问题? 400 报错
java Filter 并发问题? 400 报错
filter代码如下
package com.zdmoney.laocaibao.common.filter;/**
* Created by pc05 on 2017/6/5.
*/
import com.zdmoney.laocaibao.common.client.ClientEnum;
import com.zdmoney.laocaibao.common.utils.CommonUtils;
import com.zdmoney.laocaibao.common.utils.HtmlFilterUtils;
import org.apache.commons.lang3.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Enumeration;
import java.util.Map;
import java.util.Vector;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
* 描述 : xss攻击过滤器
*
* @author : huangcy
* @create : 2017-06-05 10:04
* @email : huangcy01@zendaimoney.com
**/
public class XssFilter extends OncePerRequestFilter {
private String exclude = null; //不需要过滤的路径集合
private Pattern pattern = null; //匹配不需要过滤路径的正则表达式
public void setExclude(String exclude) {
this.exclude = exclude;
pattern = Pattern.compile(getRegStr(exclude));
}
/**
* XSS过滤
*/
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
System.out.println("********************"+request.getAttribute(getAlreadyFilteredAttributeName())+"&&"+request+"&&"+request.getParameterMap()+"&&"+request.isSecure()+request.isAsyncStarted()+request.isAsyncSupported()+request.isRequestedSessionIdValid());
StringBuffer requestURL = request.getRequestURL();
if(StringUtils.contains(requestURL,"/credit")){
request.getSession().setAttribute("clientPath", CommonUtils.getClientPath(ClientEnum.BORROWER));
}else {
request.getSession().setAttribute("clientPath", CommonUtils.getClientPath(ClientEnum.FINANCIAL));
}
String requestURI = request.getRequestURI();
if(StringUtils.isNotBlank(requestURI))
requestURI = requestURI.replace(request.getContextPath(),"");
if(pattern.matcher(requestURI).matches())
filterChain.doFilter(request, response);
else{
EscapeScriptwrapper escapeScriptwrapper = new EscapeScriptwrapper(request);
filterChain.doFilter(escapeScriptwrapper, response);
}
}
/**
* 将传递进来的不需要过滤得路径集合的字符串格式化成一系列的正则规则
* @param str 不需要过滤的路径集合
* @return 正则表达式规则
* */
private String getRegStr(String str){
if(StringUtils.isNotBlank(str)){
String[] excludes = str.split(";"); //以分号进行分割
int length = excludes.length;
for(int i=0;i<length;i++){
String tmpExclude = excludes[i];
//对点、反斜杠和星号进行转义
tmpExclude = tmpExclude.replace("\\", "\\\\").replace(".", "\\.").replace("*", ".*");
tmpExclude = "^" + tmpExclude + "$";
excludes[i] = tmpExclude;
}
return StringUtils.join(excludes, "|");
}
return str;
}
/**
* 继承HttpServletRequestWrapper,创建装饰类,以达到修改HttpServletRequest参数的目的
* */
public class EscapeScriptwrapper extends HttpServletRequestWrapper {
private Map<String, String[]> parameterMap; //所有参数的Map集合
public EscapeScriptwrapper(HttpServletRequest request) {
super(request);
parameterMap = request.getParameterMap();
}
/**
* 获取所有参数名
* @return 返回所有参数名
* */
@Override
public Enumeration<String> getParameterNames() {
Vector<String> vector = new Vector<String>(parameterMap.keySet());
return vector.elements();
}
/**
* 获取指定参数名的值,如果有重复的参数名,则返回第一个的值
* 接收一般变量 ,如text类型
*
* @param name 指定参数名
* @return 指定参数名的值
* */
@Override
public String getParameter(String name) {
String[] results = parameterMap.get(name);
if(results == null || results.length <= 0) {
return null;
}else{
return escapeXSS(results[0]);
}
}
/**
* 获取指定参数名的所有值的数组,如:checkbox的所有数据
* 接收数组变量 ,如checkobx类型
* */
@Override
public String[] getParameterValues(String name) {
String[] results = parameterMap.get(name);
if(results == null || results.length <= 0)
return null;
else{
int length = results.length;
for(int i=0;i<length;i++){
results[i] = escapeXSS(results[i]);
}
return results;
}
}
/**
* 过滤字符串中的js脚本
* 解码:StringEscapeUtils.unescapeXml(escapedStr)
* */
private String escapeXSS(String str){
str = HtmlFilterUtils.htmlEncode(str);
Pattern tmpPattern = Pattern.compile("[sS][cC][rR][iI][pP][tT]");
Matcher tmpMatcher = tmpPattern.matcher(str);
if(tmpMatcher.find()){
str = tmpMatcher.replaceAll(tmpMatcher.group(0) + "\\\\");
}
return str;
}
}
}
web.xml配置
<filter>
<filter-name>xssFilter</filter-name>
<filter-class>com.zdmoney.laocaibao.common.filter.XssFilter</filter-class>
<init-param>
<param-name>exclude</param-name>
<param-value>/static/*</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>xssFilter</filter-name>
<url-pattern>/*</url-pattern>
<!-- 直接从客户端过来的请求以及通过forward过来的请求都要经过该过滤器 -->
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>多个请求有的能获取到数据有的获取不到数据
展开
收起
版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
相关问答
问答排行榜
最热
最新
推荐问答
相关文章
相关电子书
更多
