最近需要写个xss过滤器,将访问网站的所有请求参数都进行xss过滤,过滤的api使用的是antisamy-1.4.4
java代码
public class XssFilter implements Filter {
private static final Logger log = LoggerFactory.getLogger(XssFilter.class);
public static final String POLICY_FILE_LOCATION = "antisamy-slashdot-1.4.4.xml";
private List<String> filterChainDefinitions;
@Override
public void init(FilterConfig filterConfig) throws ServletException {
// TODO Auto-generated method stub
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
String path = ((HttpServletRequest) request).getContextPath();
String uri = ((HttpServletRequest) request).getRequestURI().replace(path, "");
Map m = request.getParameterMap();
if (matchUri(uri)) {
try {
m = this.clearRequestPra(request,new HashMap());
} catch (Exception e) {
log.info(e.toString());
}
}
ParameterRequestWrapper wrapRequest=new ParameterRequestWrapper(((HttpServletRequest) request),m);
chain.doFilter(wrapRequest, response);
}
private Map clearRequestPra(ServletRequest request,Map m)
{
Map params = request.getParameterMap();
Set<String> keys = params.keySet();
for (String key : keys) {
Object value = params.get(key);
if (value instanceof String[]) {
value = (String[])value;
String[] str = (String[])value;
int i =0;
for(String v:(String[])value)
{
v = this.scan(v);
str[i] = new String(v);
i++;
}
m.put(key,str);
}
else
{
m.put(key,value);
}
}
return m;
}
private String scan(String content)
{
String cleanHtml = "";
try{
Policy policy = Policy.getInstance(POLICY_FILE_LOCATION);
AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(content, policy);
cleanHtml = cr.getCleanHTML();
}
catch(Exception e)
{
log.info(e.toString());
}
return cleanHtml;
}
private boolean matchUri(String uri)
{
for(String pattern:filterChainDefinitions)
{
if(Pattern.matches(pattern,uri))
{
return true;
}
}
return false;
}
@Override
public void destroy() {
// TODO Auto-generated method stub
}
public List<String> getFilterChainDefinitions() {
return filterChainDefinitions;
}
public void setFilterChainDefinitions(List<String> filterChainDefinitions) {
this.filterChainDefinitions = filterChainDefinitions;
}
}
application-context-security.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.0.xsd"
default-lazy-init="true">
<description>Security Config</description>
<!-- Shiro Filter -->
<bean id="xssFilter" class="com.shurrik.security.XssFilter">
<property name="filterChainDefinitions">
<list>
<!-- <value>^/module.*</value> -->
<value>^/.*</value>
</list>
</property>
</bean>
</beans>
web.xml
<!-- Xss filter-->
<filter>
<filter-name>xssFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>xssFilter</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>xssFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
</filter-mapping>
分享到:
相关推荐
DelegatingFilterProxy代码示例,包含普通filter和代理filter两个示例,帮助加深对DelegatingFilterProxy的理解。
org.springframework.web.filter.DelegatingFilterProxy.class org.springframework.web.filter.GenericFilterBean.class org.springframework.web.filter.Log4jNestedDiagnosticContextFilter.class org.spring...
使用Spring 4.0.x和Gradle 24 2.4.3项目模块 25 核心 - spring-security-core.jar 25 远程处理 - spring-security-remoting.jar 25 Web - spring-security-web.jar 25 配置 - spring-security-config.jar 26 LDAP - ...
org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> maven...
19.2. 在Spring Security里使用LDAP 19.3. 配置LDAP服务器 19.3.1. 使用嵌入测试服务器 19.3.2. 使用绑定认证 19.3.3. 读取授权 19.4. 实现类 19.4.1. LdapAuthenticator实现 19.4.1.1. 常用功能 ...
19.2. 在Spring Security 里使用LDAP 19.3. 配置LDAP 服务器 19.3.1. 使用嵌入测试服务器 19.3.2. 使用绑定认证 19.3.3. 读取授权 19.4. 实现类 19.4.1. LdapAuthenticator 实现 19.4.1.1. 常用功能 ...
18.2. 在Spring Security里使用LDAP 18.3. 配置LDAP服务器 18.3.1. 使用嵌入测试服务器 18.3.2. 使用绑定认证 18.3.3. 读取授权 18.4. 实现类 18.4.1. LdapAuthenticator实现 18.4.1.1. 常用功能 18.4.1.2. ...
ReflectionUtils.MethodFilter ReflectiveAspectJAdvisorFactory ReflectiveAspectJAdvisorFactory.SyntheticInstantiationAdvisor ReflectiveLoadTimeWeaver ReflectiveMethodInvocation ...
4 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 5 </filter> 6 <filter-mapping> 7 <filter-name>springSessionRepositoryFilter</filter-name> 8 <url-pattern>/* 9 </...
如该软件包所指定的那样,DelegatingFilterProxy被认为可与Spring Web MVC一起使用,并且仅与Spring Web MVC一起使用(aka控制器,带或不带注释)。 它似乎不能与普通的servlet-jsps一起使用,因为您似乎正在尝试...
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <param-name>targetFilterLifecycle <param-value>true </filter> <filter-mapping> <filter-name>shiro...
添加Spring DelegatingFilterProxy到web.xml文件...................................................... 20 添加Spring Security XML配置文件的应用到web.xml ................................................ ...
Dead Code Rising 代码示例展示了如何使用 Spring 的 DelegatingFilterProxy 将依赖项注入过滤器。 在阅读文章。
SSH集成代理2.0版和struts.xml中DelegatingActionProxy代理搭配
尚硅谷_Shiro_集成 Spring · 04.尚硅谷_Shiro_工作流程(1) · 05.尚硅谷_Shiro_DelegatingFilterProxy · 06. 尚硅谷_Shiro_权限 URL 配置细节 · 07. 尚硅谷_Shiro_认证思路分析 · 08.尚硅谷_Shiro_实现认证...