最近要搞安全漏洞检查.写好备忘
过滤 json和html后缀的url
package com.wh.tms.service.impl;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.context.ApplicationContext;
import org.springframework.context.support.ClassPathXmlApplicationContext;
import org.springframework.stereotype.Component;
import com.alibaba.fastjson.JSONObject;
import com.wh.tms.constans.SystemCons;
import com.wh.tms.dao.sys.IMenuDAO;
import com.wh.tms.dao.sys.IRoleDAO;
import com.wh.tms.dao.sys.IRoleMenuDAO;
import com.wh.tms.dao.sys.IUserRoleDAO;
import com.wh.tms.entity.po.Menu;
import com.wh.tms.entity.po.Role;
import com.wh.tms.entity.po.RoleMenu;
import com.wh.tms.entity.po.User;
import com.wh.tms.entity.po.UserRole;
import tk.mybatis.mapper.entity.Example;
//@Component
public class RoleFilter implements Filter {
ApplicationContext context = new ClassPathXmlApplicationContext("/spring/spring-dao.xml");
IRoleDAO roleDao = context.getBean(IRoleDAO.class);
IRoleMenuDAO roleMenuDao = context.getBean(IRoleMenuDAO.class);
IMenuDAO menuDao = context.getBean(IMenuDAO.class);
IUserRoleDAO userRoleDao = context.getBean(IUserRoleDAO.class);
Map<Integer, Set<String>> map = new HashMap<>();
@Override
public void init(FilterConfig filterConfig) throws ServletException {
List<Role> allRole = roleDao.selectAll();
for (Role role : allRole) {
Example example = new Example(RoleMenu.class);
example.createCriteria().andEqualTo("roleId", role.getId());
List<RoleMenu> roleMenus = roleMenuDao.selectByExample(example);
Set<Integer> menuIds = new HashSet<Integer>();
for (RoleMenu roleMenu : roleMenus) {
menuIds.add(roleMenu.getMenuId());
}
// 获取菜单信息
example = new Example(Menu.class);
example.createCriteria().andIn("id", menuIds).andIsNotNull("permissionUrls");
example.setOrderByClause("id asc");
List<Menu> menus = menuDao.selectByExample(example);
Set<String> menuUrl = new HashSet<String>();
for (Menu menu : menus) {
String[] split = menu.getPermissionUrls().split(",");
for (String url : split) {
menuUrl.add(url);
}
}
map.put(role.getId(), menuUrl);
}
}
@Override
public void doFilter(ServletRequest arg0, ServletResponse arg1, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) arg0;
HttpServletResponse response = (HttpServletResponse) arg1;
HttpSession session = request.getSession();
String requestURI = request.getRequestURI();
System.out.println("requestURI+++:" + requestURI);
if (requestURI.indexOf("/login.html") > -1) {// 登录页面不过滤
chain.doFilter(arg0, arg1);// 递交给下一个过滤器
} else if (requestURI.indexOf("/login.json") > -1) {// 登录页面不过滤
chain.doFilter(arg0, arg1);// 递交给下一个过滤器
} else if (requestURI.indexOf("/index.html") > -1 || requestURI.indexOf("/welcome.html") > -1 || requestURI.indexOf("/menulist.json") > -1){
chain.doFilter(arg0, arg1);
} else if (null != request) {
Object object = request.getSession().getAttribute(SystemCons.session_key);
if (null != object) {
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json; charset=utf-8");
PrintWriter out = null;
User user = (User) object;
System.out.println("user_______:" + user);
Example example = new Example(UserRole.class);
example.createCriteria().andEqualTo("uid", user.getId());
List<UserRole> userRoleList = userRoleDao.selectByExample(example);
if (userRoleList != null) {
UserRole userRole = userRoleList.get(0);
Set<String> set = map.get(userRole.getRoleId());
String uri = requestURI.substring(5, requestURI.length());
boolean contains = set.contains(uri);
if (!contains) {
System.out.println("该用户没有权限");
try {
JSONObject res = new JSONObject();
res.put("code", "-1");
res.put("msg", "您没有权限");
out = response.getWriter();
out.append(res.toString());
} catch (Exception e) {
e.printStackTrace();
} finally {
if (out != null) {
out.close();
}
}
} else {
chain.doFilter(arg0, arg1);
}
} else {
try {
JSONObject res = new JSONObject();
res.put("code", "-1");
res.put("msg", "您没有权限");
out = response.getWriter();
out.append(res.toString());
} catch (Exception e) {
e.printStackTrace();
} finally {
if (out != null) {
out.close();
}
}
}
} else {
response.sendRedirect("login.html");
//request.getRequestDispatcher("login.html").forward(request, response);
//chain.doFilter(arg0, arg1);
}
}
// chain.doFilter(arg0, arg1);
}
@Override
public void destroy() {
}
}
这里要注意的是 重定向和 过滤器链会有冲突 只能取一个,最下面注掉的就是冲突的地方
init初始化获取全部角色所拥有的权限url,这里之前用autowired注入,注入不进来,换成bean注入解决
然后是web.xml
<filter>
<filter-name>characterEncodingFilter</filter-name>
<filter-class>xxx.xxx.xxx.RoleFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>characterEncodingFilter</filter-name>
<url-pattern>*.json</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>characterEncodingFilter</filter-name>
<url-pattern>*.html</url-pattern>
</filter-mapping>