package com.oozero.nmshop.system.filter; import java.io.IOException; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.springframework.web.filter.OncePerRequestFilter; import com.oozero.nmshop.system.pojo.Employee; import com.oozero.nmshop.system.util.JNConstant; public class LoginSessionFilter extends OncePerRequestFilter { private static final String[] ignores = new String[] { "/login.jsp", "resources", "base/user/login", "menu/init", "/system/loginStatistics/addString", "mutilUpload" }; @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { request = new Request((HttpServletRequest) request); response.setHeader("Set-Cookie", "name=value; HttpOnly"); String referer = request.getHeader("Referer"); // REFRESH if (referer != null && referer.indexOf(request.getContextPath()) < 0) { HttpServletResponse servletResponse = (HttpServletResponse) response; HttpServletRequest servletRequest = (HttpServletRequest) request; servletResponse.sendRedirect(servletRequest.getContextPath() + "/error.jsp"); } else { // 获得在下面代码中要用的request,response,session对象 HttpServletRequest servletRequest = (HttpServletRequest) request; HttpServletResponse servletResponse = (HttpServletResponse) response; HttpSession session = servletRequest.getSession(); Employee employee = (Employee) session.getAttribute(JNConstant.LOGIN_SESSION); String path = servletRequest.getRequestURI(); if (employee != null) { chain.doFilter(servletRequest, servletResponse); return; } // 登陆页面无需过滤 for (String s : ignores) { if (path.indexOf(s) > -1) { chain.doFilter(servletRequest, servletResponse); return; } } // 判断如果没有取到员工信息,就跳转到登陆页面 if (employee == null && (path.indexOf("admin") > -1 || path.indexOf("system") > -1)) { String queryString=""; if(request.getQueryString()!=null){ queryString="?"+request.getQueryString(); } // 跳转到登陆页面 servletResponse.sendRedirect(servletRequest.getContextPath() + "/login.jsp?url=http://" + servletRequest.getHeader("host") + path + queryString); } else { // 已经登陆,继续此次请求 chain.doFilter(request, response); } } } public String filterDangerString(String value) { if (value == null) { return null; } value = value.replaceAll("\\|", ""); value = value.replaceAll("&", "&"); value = value.replaceAll(";", ""); value = value.replaceAll("@", ""); value = value.replaceAll("'", ""); value = value.replaceAll(""", ""); value = value.replaceAll("\\'", ""); value = value.replaceAll("\\"", ""); value = value.replaceAll("<", "<"); value = value.replaceAll(">", ">"); value = value.replaceAll("\\(", ""); value = value.replaceAll("\\)", ""); value = value.replaceAll("\\+", ""); value = value.replaceAll("\r", ""); value = value.replaceAll("\n", ""); value = value.replaceAll("script", ""); value = value.replaceAll("'", ""); value = value.replaceAll(""", ""); value = value.replaceAll(">", ""); value = value.replaceAll("<", ""); value = value.replaceAll("=", ""); value = value.replaceAll("/", ""); return value; } class Request extends HttpServletRequestWrapper { public Request(HttpServletRequest request) { super(request); } @Override public String getParameter(String name) { // 返回值之前 先进行过滤 return filterDangerString(super.getParameter(name)); } @Override public String[] getParameterValues(String name) { // 返回值之前 先进行过滤 String[] values = super.getParameterValues(name); for (int i = 0; i < values.length; i++) { values[i] = filterDangerString(values[i]); } return values; } } }
SpringMVC 过滤参数的非法字符
猜你喜欢
转载自zzc1684.iteye.com/blog/2126461
今日推荐
周排行