Spring 防御CSRF、XSS和SQL注入攻击

来源：互联网发布：淘宝pc端在哪里编辑：程序博客网时间：2024/04/29 11:47

对每个post请求的参数过滤一些关键字，替换成安全的，例如：< > ' " \ / # &

方法是实现一个自定义的HttpServletRequestWrapper，然后在Filter里面调用它，替换掉getParameter函数即可。

首先添加一个XssHttpServletRequestWrapper:

package com.ibm.web.beans;import java.util.Enumeration;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {      public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {        super(servletRequest);    }    public String[] getParameterValues(String parameter) {      String[] values = super.getParameterValues(parameter);      if (values==null)  {                  return null;          }      int count = values.length;      String[] encodedValues = new String[count];      for (int i = 0; i < count; i++) {                 encodedValues[i] = cleanXSS(values[i]);       }      return encodedValues;    }    public String getParameter(String parameter) {          String value = super.getParameter(parameter);          if (value == null) {                 return null;                  }          return cleanXSS(value);    }    public String getHeader(String name) {        String value = super.getHeader(name);        if (value == null)            return null;        return cleanXSS(value);    }    private String cleanXSS(String value) {         //这里特意 加多个空格.... 方便 csdn显示 ,如 <  ==>  & lt;        value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");      value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");      value = value.replaceAll("'", "& #39;");     value = value.replaceAll("eval\\((.*)\\)", "");     value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");     value = value.replaceAll("script", "");        return value;    }}

然后添加一个过滤器XssFilter ：

package com.ibm.web.beans;import java.io.IOException;  import javax.servlet.Filter;  import javax.servlet.FilterChain;  import javax.servlet.FilterConfig;  import javax.servlet.ServletException;  import javax.servlet.ServletRequest;  import javax.servlet.ServletResponse;  import javax.servlet.http.HttpServletRequest;  import javax.servlet.http.HttpServletResponse;public class XssFilter implements Filter {    FilterConfig filterConfig = null;    public void init(FilterConfig filterConfig) throws ServletException {        this.filterConfig = filterConfig;    }    public void destroy() {        this.filterConfig = null;    }    public void doFilter(ServletRequest request, ServletResponse response,            FilterChain chain) throws IOException, ServletException {        chain.doFilter(new XssHttpServletRequestWrapper(                (HttpServletRequest) request), response);    }}

最后在web.xml里面配置一下，所有的请求的getParameter会被替换，如果参数里面含有敏感词会被替换掉：

  <filter>     <filter-name>XssSqlFilter</filter-name>     <filter-class>com.ibm.web.beans.XssFilter</filter-class>  </filter>  <filter-mapping>     <filter-name>XssSqlFilter</filter-name>     <url-pattern>/*</url-pattern>     <dispatcher>REQUEST</dispatcher>  </filter-mapping>

0 0