package com.test.commom.filter;
import java.io.IOException;
import java.util.Enumeration;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.struts2.dispatcher.Dispatcher;
import org.apache.struts2.dispatcher.ng.InitOperations;
import org.apache.struts2.dispatcher.ng.filter.FilterHostConfig;
import org.springframework.web.multipart.MultipartHttpServletRequest;
import org.springframework.web.multipart.commons.CommonsMultipartResolver;
import com.ky.ba.common.util.WebToolUtils;
import com.ky.core.Configuration;
public class XssAndSqlFilter implements Filter {
private Dispatcher dispatcher;
@Override
public void destroy() {
// TODO Auto-generated method stub
}
@Override
public void init(FilterConfig arg0) throws ServletException {
InitOperations init = new InitOperations();
dispatcher = null;
try {
FilterHostConfig config = new FilterHostConfig(arg0);
init.initLogging(config);
dispatcher = init.initDispatcher(config);
} finally {
if (dispatcher != null) {
dispatcher.cleanUpAfterInit();
}
init.cleanup();
}
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
//判断URL是否在免检查的白名单中,是则不执行下方的检查
String url = req.getRequestURI();
//findCommunitysByCondition.action
///drugReport/drugManReportSave.action
if(url.contains("drugManReportSave.action")){
//findCommunitysByCondition.action 为了调测打断点
System.out.println("...");
}
if (XssSecurityManager.urlNotNeedToFilter(url)) {
chain.doFilter(req, response);
return;
}
// System.out.println("访问的url: "+url);
// System.out.println("方法:"+req.getMethod());
/*限制访问ip*/
String internetIP = Configuration.getProperty("internetIP");
/*本地服务器ip*/
String serverIP = WebToolUtils.getLocalIP();
if(serverIP.equals(internetIP) && url.equals("/main.action")){
res.sendRedirect("/error_404.ftl");
return;
}
/**
* 验证 /bardm/dispatch.action,解决Unix 文件参数变更漏洞
*/
if (XssSecurityManager.dispatchValidate(url)) {
String templateValue = "";
String[] value = req.getParameterValues("template");
for (int i = 0; i < value.length; i++) {
templateValue = templateValue + value[i];
}
if (templateValue.indexOf("xml") >= 0) {
res.setContentType("text/html;charset=UTF-8");
res.getWriter().write("无效的请求!");
return;
}
}
/**
* 解决跨站点伪造漏洞
*/
String referer = req.getHeader("Referer");
String serverName = request.getServerName();
if (null != referer && referer.indexOf(serverName) < 0) {
req.getRequestDispatcher(req.getRequestURI()).forward(req, res);
return;
}
String contentType="";
if(null!= req.getContentType()){
contentType = req.getContentType();// 获取请求的content-type
}
req = dispatcher.wrapRequest(req);
/**
* 验证参数名,防止跨站点编制漏洞
*/
Enumeration params = req.getParameterNames();
String paramName = ""; // 参数名称
String paramValues = ""; // 参数值
while (params.hasMoreElements()) {
// 得到参数名
String name = params.nextElement().toString();
paramName += name;
// 得到参数对应值
//drugManReportSave.action
//fivePosition_fivePositionUpdate.action
if(url.contains("drugManReportSave.action")){
//findCommunitysByCondition.action 为了调测打断点
System.out.println("...");
}
String[] value = req.getParameterValues(name);
for (int i = 0; i < value.length; i++) {
//对于value为非json格式的,才参与非法字符校验
if (XssSecurityManager.isNotJsonFormat(value[i])) {
paramValues = paramValues + value[i];
}
}
}
// System.out.println("参数名:"+paramName);
System.out.println("参数值:"+paramValues);
//判断参数名的非法字符
if (XssSecurityManager.paramValidate(paramName)) {
res.setContentType("text/html;charset=UTF-8");
res.getWriter().write("您发送请求中的参数中含有非法字符!");
return;
}
//判断参数值中的非法字符
if (XssSecurityManager.paramValueValidate(paramValues)) {
res.setContentType("text/html;charset=UTF-8");
res.getWriter().write("<script language='javascript'>alert('您发送请求中含有非法字符!');</script>");
return;
}
//以上问题都不存在的时候,执行下面的代码
// XssAndSqlHttpServletRequestWrapper xssRequest = new XssAndSqlHttpServletRequestWrapper(
// (HttpServletRequest) req);
chain.doFilter(req, response);
}
}