解决方案:servlet配置过滤器
框架原来使用过滤器是Acegi Filter Chain Proxy。
自己新添加了一个过滤器,同样过滤/*请求
1.首先配置web.xml,添加自己的拦截器setCharacterEncoding
<filter>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<filter-class>
org.acegisecurity.util.FilterToBeanProxy
</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>
org.acegisecurity.util.FilterChainProxy
</param-value>
</init-param>
</filter>
<filter>
<filter-name>setCharacterEncoding</filter-name>
<filter-class>gov.mof.fasp.ifmis.common.EncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>utf-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>setCharacterEncoding</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
2.过滤器方法,重写dofilter()
package gov.mof.fasp.ifmis.common;
import java.io.IOException;
import java.util.Iterator;
import java.util.Map;
import java.util.ResourceBundle;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* 漏洞检测问题处理,添加过滤器.
* @ClassName: EncodingFilter
* @Description: Description of this class
*/
public class EncodingFilter implements Filter {
/**
* .
* <p>Title: destroy</p>
* <p>Description: </p>
* @see javax.servlet.Filter#destroy()
*/
public void destroy() {
}
/**
* .
* <p>Title: doFilter</p>
* <p>Description: </p>
* @param servletRequest servletRequest
* @param servletResponse servletResponse
* @param filterChain filterChain
* @throws IOException IOException
* @throws ServletException ServletException
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
*/
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
//定义变量legal true-请求合法 false-请求非法
boolean legal = true;
//获取请求URI
String uri = request.getRequestURL().toString();
//获取get请求参数部分
String queryString = request.getQueryString();
String host = request.getHeader("host");
//读取host.properties 配置文件
ResourceBundle bundle = ResourceBundle.getBundle("host");
//读取配置件中host=192.168.x.x:7001...
String localhostName = bundle.getString("host");
//防止http host头部攻击
if(localhostName.indexOf(host)<0){
legal = false;
}else{
//请求方式
String type = request.getMethod();
if("GET".equals(type)){
legal = checkLegal(uri) && checkLegal(queryString);
}else{
Map map = request.getParameterMap();
Iterator it = map.keySet().iterator();
while (it.hasNext()) {
String key = (String) it.next();
String value = ((String[]) map.get(key))[0];
if (!(checkLegal(key) && checkLegal(value))) {
legal = false;
break;
}
}
}
}
if (!legal) {
System.out.println("======访问地址发现非法字符,已拦截======");
response.sendRedirect(request.getContextPath() + "/506.jsp");
return;
}
filterChain.doFilter(request, response);
}
/**
* .
* <p>Title: init</p>
* <p>Description: </p>
* @param filterConfig filterConfig
* @throws ServletException ServletException
* @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
*/
public void init(FilterConfig filterConfig) throws ServletException {
}
/**
* 校验是否合法,合法返回true,非法返回false.
* @param tmpStr - 要校验的参数
* @return boolean
* @throws
*/
public boolean checkLegal(String tmpStr) {
if (tmpStr == null || tmpStr.trim().length() == 0) {
return true;
}
String tmp = tmpStr.toLowerCase();
if (tmp.toLowerCase().indexOf("<script>") > -1 || tmp.toLowerCase().indexOf("%3cscript%3e") > -1
|| tmp.toLowerCase().indexOf("</script>") > -1 || tmp.toLowerCase().indexOf("%3c%2fscript%3e") > -1
|| tmp.toLowerCase().indexOf("<frame>") > -1 || tmp.toLowerCase().indexOf("%3cframe%3e") > -1
|| tmp.toLowerCase().indexOf("</frame>") > -1 || tmp.toLowerCase().indexOf("%3c%2fframe%3e") > -1
|| tmp.toLowerCase().indexOf("<iframe>") > -1 || tmp.toLowerCase().indexOf("%3ciframe%3e") > -1
|| tmp.toLowerCase().indexOf("</iframe>") > -1 || tmp.toLowerCase().indexOf("%3c%2fiframe") > -1
|| tmp.toLowerCase().indexOf("<a href") > -1 || tmp.toLowerCase().indexOf("%3ca%20href") > -1
|| tmp.toLowerCase().indexOf("alert(") > -1
|| tmp.toLowerCase().indexOf("eval(") > -1
|| tmp.toLowerCase().indexOf("redirect") > -1
) {
return false;
}
return true;
}
}