package com.oozero.nmshop.system.filter;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.web.filter.OncePerRequestFilter;
import com.oozero.nmshop.system.pojo.Employee;
import com.oozero.nmshop.system.util.JNConstant;
public class LoginSessionFilter extends OncePerRequestFilter {
private static final String[] ignores = new String[] { "/login.jsp", "resources", "base/user/login", "menu/init",
"/system/loginStatistics/addString", "mutilUpload" };
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException {
request = new Request((HttpServletRequest) request);
response.setHeader("Set-Cookie", "name=value; HttpOnly");
String referer = request.getHeader("Referer"); // REFRESH
if (referer != null && referer.indexOf(request.getContextPath()) < 0) {
HttpServletResponse servletResponse = (HttpServletResponse) response;
HttpServletRequest servletRequest = (HttpServletRequest) request;
servletResponse.sendRedirect(servletRequest.getContextPath() + "/error.jsp");
} else {
// 获得在下面代码中要用的request,response,session对象
HttpServletRequest servletRequest = (HttpServletRequest) request;
HttpServletResponse servletResponse = (HttpServletResponse) response;
HttpSession session = servletRequest.getSession();
Employee employee = (Employee) session.getAttribute(JNConstant.LOGIN_SESSION);
String path = servletRequest.getRequestURI();
if (employee != null) {
chain.doFilter(servletRequest, servletResponse);
return;
}
// 登陆页面无需过滤
for (String s : ignores) {
if (path.indexOf(s) > -1) {
chain.doFilter(servletRequest, servletResponse);
return;
}
}
// 判断如果没有取到员工信息,就跳转到登陆页面
if (employee == null && (path.indexOf("admin") > -1 || path.indexOf("system") > -1)) {
String queryString="";
if(request.getQueryString()!=null){
queryString="?"+request.getQueryString();
}
// 跳转到登陆页面
servletResponse.sendRedirect(servletRequest.getContextPath() + "/login.jsp?url=http://"
+ servletRequest.getHeader("host") + path + queryString);
} else {
// 已经登陆,继续此次请求
chain.doFilter(request, response);
}
}
}
public String filterDangerString(String value) {
if (value == null) {
return null;
}
value = value.replaceAll("\\|", "");
value = value.replaceAll("&", "&");
value = value.replaceAll(";", "");
value = value.replaceAll("@", "");
value = value.replaceAll("'", "");
value = value.replaceAll(""", "");
value = value.replaceAll("\\'", "");
value = value.replaceAll("\\"", "");
value = value.replaceAll("<", "<");
value = value.replaceAll(">", ">");
value = value.replaceAll("\\(", "");
value = value.replaceAll("\\)", "");
value = value.replaceAll("\\+", "");
value = value.replaceAll("\r", "");
value = value.replaceAll("\n", "");
value = value.replaceAll("script", "");
value = value.replaceAll("'", "");
value = value.replaceAll(""", "");
value = value.replaceAll(">", "");
value = value.replaceAll("<", "");
value = value.replaceAll("=", "");
value = value.replaceAll("/", "");
return value;
}
class Request extends HttpServletRequestWrapper {
public Request(HttpServletRequest request) {
super(request);
}
@Override
public String getParameter(String name) {
// 返回值之前 先进行过滤
return filterDangerString(super.getParameter(name));
}
@Override
public String[] getParameterValues(String name) {
// 返回值之前 先进行过滤
String[] values = super.getParameterValues(name);
for (int i = 0; i < values.length; i++) {
values[i] = filterDangerString(values[i]);
}
return values;
}
}
}
SpringMVC 过滤参数的非法字符
猜你喜欢
转载自zzc1684.iteye.com/blog/2126461
今日推荐
周排行