防止SQL注入和XSS攻击Filter
使用IBM的安全漏洞扫描工具扫描出一堆漏洞,下面的filter主要是解决防止SQL注入和XSS攻击
一个是Filter负责将请求的request包装一下。
一个是request包装器,负责过滤掉非法的字符。
将这个过滤器配置上以后,世界总算清净多了。。
代码如下:
- import java.io.IOException;
- import javax.servlet.Filter;
- import javax.servlet.FilterChain;
- import javax.servlet.FilterConfig;
- import javax.servlet.ServletException;
- import javax.servlet.ServletRequest;
- import javax.servlet.ServletResponse;
- import javax.servlet.http.HttpServletRequest;
- /**
- * <code>{@link CharLimitFilter}</code>
- *
- * 拦截防止sql注入
- *
- * @author Administrator
- */
- publicclass XssFilter implements Filter {
- /* (non-Javadoc)
- * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
- */
- publicvoid doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException,
- ServletException {
- XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(
- (HttpServletRequest) request);
- filterChain.doFilter(xssRequest, response);
- }
- }
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
/**
* <code>{@link CharLimitFilter}</code>
*
* 拦截防止sql注入
*
* @author Administrator
*/
public class XssFilter implements Filter {
/* (non-Javadoc)
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
*/
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException,
ServletException {
XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(
(HttpServletRequest) request);
filterChain.doFilter(xssRequest, response);
}
}
包装器:
- /**
- * <code>{@link XssHttpServletRequestWrapper}</code>
- *
- * TODO : document me
- *
- * @author Administrator
- */
- publicclass XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
- HttpServletRequest orgRequest = null;
- public XssHttpServletRequestWrapper(HttpServletRequest request) {
- super(request);
- orgRequest = request;
- }
- /**
- * 覆盖getParameter方法,将参数名和参数值都做xss过滤。<br/>
- * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br/>
- * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
- */
- @Override
- public String getParameter(String name) {
- String value = super.getParameter(xssEncode(name));
- if (value != null) {
- value = xssEncode(value);
- }
- return value;
- }
- /**
- * 覆盖getHeader方法,将参数名和参数值都做xss过滤。<br/>
- * 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br/>
- * getHeaderNames 也可能需要覆盖
- */
- @Override
- public String getHeader(String name) {
- String value = super.getHeader(xssEncode(name));
- if (value != null) {
- value = xssEncode(value);
- }
- return value;
- }
- /**
- * 将容易引起xss漏洞的半角字符直接替换成全角字符
- *
- * @param s
- * @return
- */
- privatestatic String xssEncode(String s) {
- if (s == null || "".equals(s)) {
- return s;
- }
- StringBuilder sb = new StringBuilder(s.length() + 16);
- for (int i = 0; i < s.length(); i++) {
- char c = s.charAt(i);
- switch (c) {
- case'>':
- sb.append('>');//全角大于号
- break;
- case'<':
- sb.append('<');//全角小于号
- break;
- case'\'':
- sb.append('‘');//全角单引号
- break;
- case'\"':
- sb.append('“');//全角双引号
- break;
- case'&':
- sb.append('&');//全角
- break;
- case'\\':
- sb.append('\');//全角斜线
- break;
- case'#':
- sb.append('#');//全角井号
- break;
- default:
- sb.append(c);
- break;
- }
- }
- return sb.toString();
- }
- /**
- * 获取最原始的request
- *
- * @return
- */
- public HttpServletRequest getOrgRequest() {
- return orgRequest;
- }
- /**
- * 获取最原始的request的静态方法
- *
- * @return
- */
- publicstatic HttpServletRequest getOrgRequest(HttpServletRequest req) {
- if (req instanceof XssHttpServletRequestWrapper) {
- return ((XssHttpServletRequestWrapper) req).getOrgRequest();
- }
- return req;
- }
- }
web.xml文件
