Use the default WallFilter configuration
<bean id="dataSource" class="com.alibaba.druid.pool.DruidDataSource" init-method="init" destroy-method="close">
...
<property name="filters" value="wall"/>
</bean>
Used in conjunction with other Filters
WallFilter can be used in combination with other Filters, for example:
<bean id="dataSource" class="com.alibaba.druid.pool.DruidDataSource" init-method="init" destroy-method="close">
...
<property name="filters" value="wall,stat"/>
</bean>
In this way, the interception detection time is not within the SQL execution time counted by StatFilter.
If you want the SQL execution time to be counted by StatFilter, use the following configuration
<bean id="dataSource" class="com.alibaba.druid.pool.DruidDataSource" init-method="init" destroy-method="close">
...
<property name="filters" value="stat,wall"/>
</bean>
指定dbType
有时候,一些应用框架做了自己的JDBC Proxy Driver,是的DruidDataSource无法正确识别数据库的类型,则需要特别指定,如下:
<bean id="wall-filter" class="com.alibaba.druid.wall.WallFilter">
<property name="dbType" value="mysql" />
</bean>
<bean id="dataSource" class="com.alibaba.druid.pool.DruidDataSource" init-method="init" destroy-method="close">
...
<property name="proxyFilters">
<list>
<ref bean="wall-filter"/>
</list>
</property>
</bean>
Recommended: Taobao druid database connection pool usage example, Taobao druid database connection pool usage example
Taobao druid database connection pool usage example Classification: Programming Development 2013-05-22 16:18 54 people read comments (0) Favorites report java connection pool reference: Taobao connection pool Druid http://www.zhurouyoudu.c
Specifies the directory where the configuration is loaded
By default, the directory loaded by the configuration is as follows:
database type directory mysql META-INF/druid/wall/mysql oracle META-INF/druid/wall/oracle sqlserver META-INF/druid/wall/sqlserver postgres META-INF/druid/wall/postgres
Read configuration from the following files in the configuration directory:
deny-variant.txt
deny-schema.txt
deny-function.txt
deny-table.txt
deny-object.txIt is possible to specify the directory where the configuration is loaded, for example:
<bean id="wall-filter-config" class="com.alibaba.druid.wall.WallConfig" init-method="init">
<!-- 指定配置装载的目录 -->
<property name="dir" value="META-INF/druid/wall/mysql" />
</bean>
<bean id="wall-filter" class="com.alibaba.druid.wall.WallFilter">
<property name="dbType" value="mysql" />
<property name="config" ref="wall-filter-config" />
</bean>
<bean id="dataSource" class="com.alibaba.druid.pool.DruidDataSource" init-method="init" destroy-method="close">
...
<property name="proxyFilters">
<list>
<ref bean="wall-filter"/>
</list>
</property>
</bean>
WallConfig详细说明
The default value of the configuration item dir is configured according to the dbType:mysql : META-INF/druid/wall/mysql
oracle : META-INF/druid/wall/oracle
sqlserver : META-INF/druid/wall/sqlserver
Intercept Configuration - Statement
Configuration item default value description selelctAllow true whether to allow the execution of SELECT statements selectAllColumnAllow true whether to allow the execution of such statements as SELECT * FROM T. If set to false, select * from t is not allowed, but select * from (select id, name from t) a. This option is for the defense program to obtain the structure information of the data table by calling select *. selectIntoAllow true Whether the INTO clause is allowed in the SELECT query deleteAllow true Whether the DELETE statement is allowed to be executed updateAllow true Is the UPDATE statement allowed to be executed insertAllow true Is the INSERT statement allowed to be executed replaceAllow true Is the REPLACE statement allowed to be executed mergeAllow true Is the MERGE statement allowed to be executed, this is only in Oracle Useful callAllow true Whether it is allowed to call the stored procedure through jdbc call syntax setAllow true Whether it is allowed to use the SET syntax truncateAllow true The truncate statement is dangerous, open by default, if you need to close createTableAllow by yourself true Whether it is allowed to create a table alterTableAllow true Is it allowed to execute the Alt Table statement dropTableAllow true whether it is allowed to modify the table commentAllow false whether to allow comments in the statement, Oracle users don't have to worry, Wall can identify the difference between hints and comments noneBaseStatementAllow false Whether to allow other statements other than the above basic statements, the default is off, this option can be used to block DDL. multiStatementAllow false Whether multiple statements are allowed to be executed at a time, useAllow is turned off by default true Whether the use statement of mysql is allowed to be executed, describeAllow is turned on by default true Whether the describe statement of MySQL is allowed to be executed, showAllow is turned on by default true Whether the show statement of mysql is allowed to be executed, missing Province open commitAllow trueWhether to allow the commit operation
rollbackAllow trueWhether to allow the roll back operation
If selectIntoAllow, deleteAllow, updateAllow, insertAllow, mergeAllow are all set to false, this is a read-only data source.
Intercept Configuration - Always True Condition
Configuration item default value default value selectWhereAlwayTrueCheck true Check whether the WHERE clause of the SELECT statement is a true condition selectHavingAlwayTrueCheck true Check whether the HAVING clause of the SELECT statement is a true condition deleteWhereAlwayTrueCheck true Check whether the WHERE clause of the DELETE statement is a Always true condition deleteWhereNoneCheck false Check if the DELETE statement has no where condition, which is risky, but not a SQL injection type of risk updateWhereAlayTrueCheck true Check if the WHERE clause of the UPDATE statement is a true condition updateWhereNoneCheck false Check if the UPDATE statement has no where condition , which is risky, but not a SQL injection type of risk conditionAndAlwayTrueAllow false Check if the query condition (WHERE/HAVING clause) contains AND always true condition conditionAndAlwayFalseAllow false Check if the query condition (WHERE/HAVING clause) contains AND forever The false condition conditionLikeTrueAllow true checks whether the query condition (WHERE/HAVING clause) contains the LIKE true condition
Other interception configuration
Configuration item default value description selectIntoOutfileAllow false SELECT ... INTO OUTFILE is allowed, this is a common method of mysql injection attack, the default is forbidden selectUnionCheck true Detect SELECT UNION selectMinusCheck true Detect SELECT MINUS selectExceptCheck true Detect SELECT EXCEPT selectIntersectCheck true Detect SELECT INTERSECT mustParameterized false Whether parameters are required If it is True, non-parameterized SQL like WHERE ID = 1 is not allowed. strictSyntaxCheck true Whether to perform strict syntax detection, Druid SQL Parser cannot cover all SQL syntax in some scenarios, and an error occurs in parsing SQL, you can Temporarily set this option to false while reporting SQL back to the Druid developers. conditionOpXorAllow false Whether the XOR condition is allowed in the query condition. XOR is not commonly used, it is difficult to judge whether it is always true or false, and it is not allowed by default. conditionOpBitwseAllow true Whether the "&", "~", "|", "^" operators are allowed in the query condition. conditionDoubleConstAllow false Whether two consecutive constant operation expressions are allowed in the query condition minusAllow true Whether statements such as SELECT * FROM A MINUS SELECT * FROM B are allowed intersectAllow true Whether statements such as SELECT * FROM A INTERSECT SELECT * FROM B are allowed constArithmeticAllow true Intercept constants The condition of the operation, such as WHERE FID = 3 - 1, where "3 - 1" is a constant arithmetic expression. limitZeroAllow false whether to allow statements like limit 0
Disable object detection configuration
Configuration item default value description tableCheck true Detects if disabled table schemaCheck true Detects if disabled Schema functionCheck true Detects if disabled function objectCheck true Detects if "disabled object" is used variantCheck true Detects if used "Disabled variable" readOnlyTables Empty specified table is read-only and cannot appear as "modified table" in SELECT INTO, DELETE, UPDATE, INSERT, MERGE
Jdbc related configuration
The default value of the configuration item describes whether metadataAllow true is allowed to call the Connection.getMetadata method. This method call will expose the table information of the database. wrapAllow true Whether it is allowed to call the isWrapFor and unwrap methods of the Connection/Statement/ResultSet. These two method calls make it possible to Get the native driver object and execute SQL directly, bypassing the detection of WallFilter.WallFiler configuration instructions
Configuration item default value description logViolation false LOG.error output throwException true for SQL considered to be attacked SQLException config provider
When WallFilter was first introduced, set logViolation to true and throwException to false. You can observe whether there are violations without affecting business operations.
Recommended: Druid database connection pool usage
阿里巴巴推出的国产数据库连接池,据网上测试对比,比目前的DBCP或C3P0数据库连接池性能更好 简单使用介绍 Druid与其他数据库连接池使用方法基本一样(与DBCP
这个文档提供基于Spring的各种配置方式 使用缺省配置的WallFilter <bean id="dataSource" class="com.alibaba.druid.pool.DruidDataSource" init-method="init" destroy-method="close">
http://www.itkeyword.com/doc/1480525240877932833/wallfilter-druid