struts 跨站点脚本漏洞2

解决方案：servlet配置过滤器
框架原来使用过滤器是Acegi Filter Chain Proxy。
自己新添加了一个过滤器，同样过滤/*请求
1.首先配置web.xml,添加自己的拦截器setCharacterEncoding

<filter>
    <filter-name>Acegi Filter Chain Proxy</filter-name>
    <filter-class>
        org.acegisecurity.util.FilterToBeanProxy
    </filter-class>
    <init-param>
        <param-name>targetClass</param-name>
        <param-value>
            org.acegisecurity.util.FilterChainProxy
        </param-value>
    </init-param>
</filter>
<filter>  
        <filter-name>setCharacterEncoding</filter-name>  
        <filter-class>gov.mof.fasp.ifmis.common.EncodingFilter</filter-class>  
        <init-param>  
            <param-name>encoding</param-name>  
            <param-value>utf-8</param-value>  
        </init-param>  
</filter> 
<filter-mapping>
    <filter-name>Acegi Filter Chain Proxy</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>  
        <filter-name>setCharacterEncoding</filter-name>  
        <url-pattern>/*</url-pattern>  
</filter-mapping> 

2.过滤器方法，重写dofilter()

package gov.mof.fasp.ifmis.common;

import java.io.IOException;
import java.util.Iterator;
import java.util.Map;
import java.util.ResourceBundle;
import java.util.Set;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
 * 漏洞检测问题处理，添加过滤器.
 * @ClassName: EncodingFilter
 * @Description: Description of this class
 */
public class EncodingFilter implements Filter {
    /**
     * .
     * <p>Title: destroy</p>
     * <p>Description: </p>
     * @see javax.servlet.Filter#destroy()
     */
    public void destroy() {
    }

    /**
     * .
     * <p>Title: doFilter</p>
     * <p>Description: </p>
     * @param servletRequest servletRequest
     * @param servletResponse servletResponse
     * @param filterChain filterChain
     * @throws IOException IOException
     * @throws ServletException ServletException
     * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
     */
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
            throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) servletRequest;
        HttpServletResponse response = (HttpServletResponse) servletResponse;
        //定义变量legal true-请求合法 false-请求非法
        boolean legal = true;
        //获取请求URI
        String uri = request.getRequestURL().toString();
        //获取get请求参数部分
        String queryString =  request.getQueryString();
        String host = request.getHeader("host");    
//读取host.properties 配置文件
        ResourceBundle bundle = ResourceBundle.getBundle("host");
        //读取配置件中host=192.168.x.x:7001...
        String localhostName = bundle.getString("host");
        //防止http host头部攻击
        if(localhostName.indexOf(host)<0){
            legal = false;
        }else{
            //请求方式
            String type = request.getMethod();
            if("GET".equals(type)){
                legal = checkLegal(uri) && checkLegal(queryString);
            }else{
                Map map = request.getParameterMap();
                Iterator it = map.keySet().iterator();
                while (it.hasNext()) {
                    String key = (String) it.next();
                    String value = ((String[]) map.get(key))[0];
                    if (!(checkLegal(key) && checkLegal(value))) {
                        legal = false;
                        break;
                    }
                }
            }
        }
        if (!legal) {
            System.out.println("======访问地址发现非法字符，已拦截======");
            response.sendRedirect(request.getContextPath() + "/506.jsp");
            return;
        }

        filterChain.doFilter(request, response);
    }

    /**
     * .
     * <p>Title: init</p>
     * <p>Description: </p>
     * @param filterConfig filterConfig
     * @throws ServletException ServletException
     * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
     */
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    /**
     * 校验是否合法，合法返回true，非法返回false.
     * @param tmpStr - 要校验的参数
     * @return boolean
     * @throws
     */
    public boolean checkLegal(String tmpStr) {
        if (tmpStr == null || tmpStr.trim().length() == 0) {
            return true;
        }
        String tmp = tmpStr.toLowerCase();
        if (tmp.toLowerCase().indexOf("<script>") > -1 || tmp.toLowerCase().indexOf("%3cscript%3e") > -1
                || tmp.toLowerCase().indexOf("</script>") > -1 || tmp.toLowerCase().indexOf("%3c%2fscript%3e") > -1
                || tmp.toLowerCase().indexOf("<frame>") > -1 || tmp.toLowerCase().indexOf("%3cframe%3e") > -1
                || tmp.toLowerCase().indexOf("</frame>") > -1 || tmp.toLowerCase().indexOf("%3c%2fframe%3e") > -1
                || tmp.toLowerCase().indexOf("<iframe>") > -1 || tmp.toLowerCase().indexOf("%3ciframe%3e") > -1
                || tmp.toLowerCase().indexOf("</iframe>") > -1 || tmp.toLowerCase().indexOf("%3c%2fiframe") > -1
                || tmp.toLowerCase().indexOf("<a href") > -1 || tmp.toLowerCase().indexOf("%3ca%20href") > -1
                || tmp.toLowerCase().indexOf("alert(") > -1
                || tmp.toLowerCase().indexOf("eval(") > -1
                || tmp.toLowerCase().indexOf("redirect") > -1
                ) {
            return false;
        }
        return true;
    }
}