Java 防止XSS攻击(Spring boot Spring 方式)
2024-04-24 04:28:07
以下方式的pom依赖都基于hutool
<dependency><groupId>cn.hutool</groupId><artifactId>hutool-all</artifactId><version>5.3.7</version></dependency>
——SpringBoot
注解方式
- 过滤器
package com.xlj.xssdemo.filter;import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;@WebFilter(urlPatterns = "/*")
public class XssFilter implements Filter {@Overridepublic void init(FilterConfig filterConfig) {}@Overridepublic void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {//使用包装器XssFilterWrapper xssFilterWrapper = new XssFilterWrapper((HttpServletRequest) servletRequest);filterChain.doFilter(xssFilterWrapper, servletResponse);}@Overridepublic void destroy() {}
}
- 包装器(真正过滤逻辑)
package com.xlj.xssdemo.filter;import cn.hutool.core.util.EscapeUtil;import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;public class XssFilterWrapper extends HttpServletRequestWrapper {public XssFilterWrapper(HttpServletRequest request) {super(request);}@Overridepublic String getHeader(String name) {return EscapeUtil.escape(super.getHeader(name));}@Overridepublic String getQueryString() {return EscapeUtil.escape(super.getQueryString());}@Overridepublic String getParameter(String name) {return EscapeUtil.escape(super.getParameter(name));}@Overridepublic String[] getParameterValues(String name) {String[] values = super.getParameterValues(name);if(values != null) {int length = values.length;String[] escapseValues = new String[length];for(int i = 0; i < length; i++){escapseValues[i] = EscapeUtil.escape(values[i]);}return escapseValues;}return super.getParameterValues(name);}
}
- 启动类添加注解
package com.xlj.xssdemo;import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.web.servlet.ServletComponentScan;@SpringBootApplication
@ServletComponentScan(basePackages = "com.xlj.xssdemo.filter")
public class XssdemoApplication {public static void main(String[] args) {SpringApplication.run(XssdemoApplication.class, args);}
}
配置类方式
- application.properties 开启xss配置
# XSS配置
xss.enabled=true
# 不过滤路径, 以逗号分割
xss.excludes=/open/*
# 过滤路径, 逗号分割
xss.urlPatterns=/*
- 过滤器配置
import cn.hutool.core.util.StrUtil;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import javax.servlet.DispatcherType;
import java.util.HashMap;
import java.util.Map;@Configuration
public class XssFilterConfig {@Value("${xss.enabled}")private String enabled;@Value("${xss.excludes}")private String excludes;@Value("${xss.urlPatterns}")private String urlPatterns;@SuppressWarnings({"rawtypes", "unchecked"})@Beanpublic FilterRegistrationBean xssFilterRegistration() {FilterRegistrationBean registration = new FilterRegistrationBean();registration.setDispatcherTypes(DispatcherType.REQUEST);registration.setFilter(new XssFilter());//添加过滤路径registration.addUrlPatterns(StrUtil.split(urlPatterns, ","));registration.setName("xssFilter");registration.setOrder(Integer.MAX_VALUE);//设置初始化参数Map<String, String> initParameters = new HashMap<>();initParameters.put("excludes", excludes);initParameters.put("enabled", enabled);registration.setInitParameters(initParameters);return registration;}
}
- 防止XSS攻击的过滤器
package com.xlj.xssdemo.filter;import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;public class XssFilter implements Filter {@Overridepublic void init(FilterConfig filterConfig) {}@Overridepublic void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {//使用包装器XssFilterWrapper xssFilterWrapper = new XssFilterWrapper((HttpServletRequest) servletRequest);filterChain.doFilter(xssFilterWrapper, servletResponse);}@Overridepublic void destroy() {}
}
- XSS过滤处理
package com.xlj.xssdemo.filter;import cn.hutool.core.util.EscapeUtil;import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;public class XssFilterWrapper extends HttpServletRequestWrapper {public XssFilterWrapper(HttpServletRequest request) {super(request);}@Overridepublic String getHeader(String name) {return EscapeUtil.escape(super.getHeader(name));}@Overridepublic String getQueryString() {return EscapeUtil.escape(super.getQueryString());}@Overridepublic String getParameter(String name) {return EscapeUtil.escape(super.getParameter(name));}@Overridepublic String[] getParameterValues(String name) {String[] values = super.getParameterValues(name);if(values != null) {int length = values.length;String[] escapseValues = new String[length];for(int i = 0; i < length; i++){escapseValues[i] = EscapeUtil.escape(values[i]);}return escapseValues;}return super.getParameterValues(name);}
}
——Spring
- 添加的 pom 依赖
<dependency><groupId>cn.hutool</groupId><artifactId>hutool-all</artifactId><version>5.3.7</version></dependency>
- web.xml开启过滤配置
<!-- 解决xss漏洞 --><filter><filter-name>xssFilter</filter-name><filter-class>XXX.XssFilter</filter-class></filter><!-- 解决xss漏洞 --><filter-mapping><filter-name>xssFilter</filter-name><url-pattern>*</url-pattern></filter-mapping>
- 防止XSS攻击的过滤器
package com.ctrip.hotel.octopus.pdp.web.filter;import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;public class XssFilter implements Filter {@Overridepublic void init(FilterConfig filterConfig) {}@Overridepublic void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {//使用包装器XssFilterWrapper xssFilterWrapper = new XssFilterWrapper((HttpServletRequest) servletRequest);filterChain.doFilter(xssFilterWrapper, servletResponse);}@Overridepublic void destroy() {}
}- XSS过滤处理
package com.ctrip.hotel.octopus.pdp.web.filter;import com.ctrip.vul.VulDef;import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;public class XssFilterWrapper extends HttpServletRequestWrapper {public XssFilterWrapper(HttpServletRequest request) {super(request);}@Overridepublic String getHeader(String name) {return EscapeUtil.escape(super.getHeader(name));}@Overridepublic String getQueryString() {return EscapeUtil.escape(super.getQueryString());}@Overridepublic String getParameter(String name) {return EscapeUtil.escape(super.getParameter(name));}@Overridepublic String[] getParameterValues(String name) {String[] values = super.getParameterValues(name);if(values != null) {int length = values.length;String[] escapseValues = new String[length];for(int i = 0; i < length; i++){escapseValues[i] = EscapeUtil.escape(values[i]);}return escapseValues;}return super.getParameterValues(name);}
}Java 防止XSS攻击(Spring boot Spring 方式)相关推荐
- java byte 图片浏览器直接显示_以Spring Boot的方式显示图片或下载文件到浏览器的示例代码...
以Java web的方式显示图片到浏览器以Java web的方式下载服务器文件到浏览器 以Spring Boot的方式显示图片或下载文件到浏览器 请求例子:http://localhost:8080/ ...
- 基于 java Swing 客户端 和 Spring Boot/Spring Cloud Alibaba 后台管理系统
基于 java Swing 客户端 和 Spring Boot/Spring Cloud & Alibaba 后台管理系统 基于 java Swing 客户端 和 Spring Boot/Sp ...
- Spring Boot+Spring Security+JWT 实现token验证
Spring Boot+Spring Security+JWT 实现token验证 什么是JWT? JWT的工作流程 JWT的主要应用场景 JWT的结构 SpringBoot+Spring Secur ...
- Spring Boot Spring MVC 异常处理的N种方法 1
github:https://github.com/chanjarste... 参考文档: Spring Boot 1.5.4.RELEASE Documentation Spring framewo ...
- Spring Boot+Spring Cloud实现itoken项目
itoken项目简介 开发环境 操作系统: Windows 10 Enterprise 开发工具: Intellij IDEA 数据库: MySql 5.7.22 Java SDK: Oracle J ...
- spring boot + spring mvc 原理解析
前言:spring mvc 是当前最为流行的一种java WEB 框架.在还没有spring boot以前,通常搭配tomcat等容器进行web项目的开发.而现在spring全家桶越来越完善.慢慢脱离 ...
- Spring - Spring Boot Spring Cloud
Spring -> Spring Boot > Spring Cloud 这几天刚刚上班,公司用的是Spring Cloud,接触不多.我得赶快学起来. 想学习就必须得知道什么是微服务,什 ...
- Distributed transactions with multiple databases, Spring Boot, Spring Data JPA and Atomikos
2019独角兽企业重金招聘Python工程师标准>>> A couple of weeks ago I was evaluating the possibility to use S ...
- Spring Boot + Spring Data + Elasticsearch实例
在本文中,我们将讨论"如何创建Spring Boot + Spring Data + Elasticsearch范例". 本文中使用的工具: Spring Boot 1.5.1.R ...
- Spring Boot Spring MVC 异常处理的N种方法
默认行为 根据Spring Boot官方文档的说法: For machine clients it will produce a JSON response with details of the e ...
最新文章
- 我用python10年后,我发现学python必看这三本书!
- 在Linux/Centos下用wondershaper限速
- WebView退出时停止视频播放
- java 线程加载类_java JVM-线程上下类加载器
- 在活动完成之后的格式工厂下载
- php 保护连接字符串,PHP OOP更新扩展类__construct上的受保护字符串
- 浏览器与WEB服务器交互
- C# 0xC0000005 捕获
- 双系统下Mac可以这样卸载windows系统
- es6基础(4)--字符串扩展
- Eclipse Package Explorer视图无法打开
- 管理感悟:不要问没经过思考的问题
- s7200cpu224xp手册_西门子S7-200 CPU224XP
- monk_notebook (交际德语教程 第二版 学生用书)
- springboot实现简单的单点登录
- 4g模块Linux拨号ppp脚本,在ARM-linux上实现4G模块PPP拨号上网【转】
- 革新OCR结构化技术应用,揭秘百度中英文OCR结构化模型StrucTexT预训练模型
- 华为手环B2鸿蒙,【华为手环B2】运动全能冠军(附《GIF版手势操作秘籍》)
- 微信小程序|使用小程序制作一个足球拼图小游戏
- 基于ESP32的SPI读取MPU9250数据