Step 1. We can configure application.properties of Freemarker basic configuration, refer to the first tutorial [Spring Boot from entry to advanced tutorial series - External start Tomcat multi-mode, encryption and decryption of configuration data]
Core Configuration
########################################################
### freemarker
########################################################
spring.freemarker.allow-request-override=false
spring.freemarker.cache=true
spring.freemarker.check-template-location=true
spring.freemarker.charset=UTF-8
spring.freemarker.content-type=text/html
spring.freemarker.expose-request-attributes=false
spring.freemarker.expose-session-attributes=false
spring.freemarker.expose-spring-macro-helpers=false
spring.freemarker.suffix=.ftl
spring.freemarker.template-loader-path=/WEB-INF/ftl/
Step 2. Prepare our determination role permissions label implementation class, we use the template page Freemarker
As expected, or if the user has user1 user2 role, the corresponding display html content
<@hasRole role="USER1,USER2">
<a href="#">我拥有USER1或者USER2角色权限</a>
</@hasRole>
@Component
public class HasRoleTag implements TemplateDirectiveModel {
public void execute(Environment env, Map params, TemplateModel[] loopVars, TemplateDirectiveBody directiveBody)
throws TemplateException, IOException {
Object role = params.get("role");
if (StringUtils.isEmpty(role)) {
throw new TemplateException("参数[role]不能为空", null);
}
if (hasRole(role)) {
directiveBody.render(env.getOut());
} else {
env.getOut().write("");
}
}
private boolean hasRole(Object role) {
String[] roles = role.toString().split(",");
for (String checkRole: Roles) {
// Here the TODO user determines whether there is a corresponding session checkRole, such as the presence Returns true
}
return to false;
}
}
Step 3. Why should achieve the prevention of XSS attacks? Our data exist XSS script library in many cases, lead to general background administrator or user to view which time XSS script that contains the data will be some malicious page effects, such as steal user session the cookie sessionid or malicious attack results page, or allow you unlimited pop, even more serious is guiding you to a phishing site, which for the user data security and user experience is a great challenge.
XSS is performed mainly by the effect of the page JS script, so we use the most conventional way to escape the data we need to show, which can prevent up to 90 percent of scripting attack
The following example
<#escape x as x html?>
This is a read from reading the contents of the database: I'm heading content, today I ask you eat it?
<Script> Alert ( "I am XSS script"); </ Script>
< / # escape>
But in many parts of the page if all the data we need to show independence need to write too much redundant code, this time we can consider global replacement, the code is as follows
public class HtmlTemplateLoader implements TemplateLoader {
private static final String HTML_ESCAPE_PREFIX = "<#escape x as x?html>";
private static final String HTML_ESCAPE_SUFFIX = "</#escape>";
private final TemplateLoader delegate;
public HtmlTemplateLoader(TemplateLoader delegate) {
this.delegate = delegate;
}
@Override
public Object findTemplateSource(String name) throws IOException {
return delegate.findTemplateSource(name);
}
@Override
public long getLastModified(Object templateSource) {
return delegate.getLastModified(templateSource);
}
@Override
public Reader getReader(Object templateSource, String encoding) throws IOException {
Reader reader = delegate.getReader(templateSource, encoding);
String templateText = IOUtils.toString(reader);
return new StringReader(HTML_ESCAPE_PREFIX + templateText + HTML_ESCAPE_SUFFIX);
// return new StringReader(templateText);
}
@Override
public void closeTemplateSource(Object templateSource) throws IOException {
delegate.closeTemplateSource(templateSource);
}
}
Step 4. We begin initialization Freemarker configuration and use of our above injection function code written
@Configuration
public class FreeMarkerConfig {
@Autowired(required = false)
private freemarker.template.Configuration configuration;
@Autowired(required = false)
private HasRoleTag hasRoleTag;
@PostConstruct
public void setSharedVariable() {
// 数据转义
configuration.setTemplateLoader(new HtmlTemplateLoader(configuration.getTemplateLoader()));
// 基本设置
configuration.setNumberFormat("#.####");
configuration.setDateFormat("yyyy-MM-dd");
configuration.setDateTimeFormat("yyyy-MM-dd HH:mm:ss");
configuration.setLocale(new Locale("zh_CN"));
configuration.setSharedVariable("hasRole", hasRoleTag);
}
}
Summary, global variables use the escape tag, page we no longer need to write additional code to common $ {model.content! ''} Output data can be, but some people may I ask that we use rich text data how to do it, we can not escape one of the data nodes, this situation we will explain another follow-up safety handle one rich text
---------------------