问题描述:
使用Ruoyi的demo部署成功后,发现js、css等静态文件都进入了过滤器,修改application.yml:
xss:
# 过滤开关
enabled: true
# 排除链接(多个用逗号分隔)
# 手动增加.*\\.css,.*\\.jpg,.*\\.js,.*\\.map,注意使用的是正则表达式
excludes: /system/notice/*,.*\\.css,.*\\.jpg,.*\\.js,.*\\.map
# 匹配链接
urlPatterns: /system/*,/monitor/*,/tool/*
自动重启应用后发现过XssFilter.java已经排除了静态文件了。
但是发现静态文件没有使用浏览器缓存,新建BrowserCacheFilter.java并增加@WebFilter处理:
package com.ruoyi.framework.config;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
@WebFilter(filterName = "browserCacheFilter", urlPatterns = {"*.css","*.jpg","*.js"})
public class BrowserCacheFilter implements Filter{
@Override
public void init(FilterConfig filterConfig) throws ServletException{
Filter.super.init(filterConfig);
}
public void doFilter(ServletRequest req,ServletResponse res,FilterChain chain) throws IOException,ServletException{
HttpServletRequest request=(HttpServletRequest)req;
HttpServletResponse response=(HttpServletResponse)res;
// response.addHeader("Cache-Control","no-cache");
// response.addHeader("Expires","Thu, 01 Jan 1970 00:00:00 GMT");
response.addHeader("Cache-Control","max-age=86400"); //86400s=24h
chain.doFilter(request,response);
}
}
应用自动重启后发现@WebFilter无效!
解决方案:
方案1:BrowserCacheFilter.java增加@Component 或 @Configuration
@Component
@WebFilter(filterName = "browserCacheFilter", urlPatterns = {"*.css","*.jpg","*.js"})
public class BrowserCacheFilter implements Filter{
处理结果:重启后可以进入到init方法,但@WebFilter的urlPatterns无效,准确地说,是@WebFilter仍然无效。
方案2:FilterConfig.java增加@Bean
package com.ruoyi.framework.config;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.DispatcherType;
import org.nutz.lang.Lang;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import com.ruoyi.common.utils.StringUtils;
import com.ruoyi.common.xss.XssFilter;
/**
* Filter配置
*
* @author ruoyi
*/
@Configuration
public class FilterConfig {
@Value("${xss.enabled}")
private String enabled;
@Value("${xss.excludes}")
private String excludes;
@Value("${xss.urlPatterns}")
private String urlPatterns;
@SuppressWarnings({ "rawtypes", "unchecked" })
@Bean
public FilterRegistrationBean xssFilterRegistration() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setDispatcherTypes(DispatcherType.REQUEST);
registration.setFilter(new XssFilter());
registration.addUrlPatterns(StringUtils.split(urlPatterns, ","));
registration.setName("xssFilter");
registration.setOrder(Integer.MAX_VALUE);
Map<String, String> initParameters = new HashMap<String, String>();
initParameters.put("excludes", excludes);
initParameters.put("enabled", enabled);
registration.setInitParameters(initParameters);
return registration;
}
/**增加BrowserCacheFilter过滤器*/
@Bean
public FilterRegistrationBean browserCacheFilterRegistration() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setFilter(new BrowserCacheFilter());
registration.addUrlPatterns("*.css","*.js","*.jpg","*.png","");
return registration;
}
}
重启后能进入到init方法,并按【registration.addUrlPatterns(".css",".js",".jpg",".png","")】设置过滤静态文件。
方案3:RuoYiApplication.java增加@ServletComponentScan
package com.ruoyi;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration;
import org.springframework.boot.web.servlet.ServletComponentScan;
/**
* 启动程序
* @author ruoyi
*/
@SpringBootApplication(exclude = { DataSourceAutoConfiguration.class })
@ServletComponentScan
public class RuoYiApplication {
public static void main(String[] args) {
// System.setProperty("spring.devtools.restart.enabled", "false");
SpringApplication.run(RuoYiApplication.class, args);
...
}
}
应用重启后能识别和处理@WebFilter注解,能进入init方法并根据urlPatterns过滤静态文件。
方案4:在FilterConfig.java增加@ServletComponentScan
package com.ruoyi.framework.config;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.DispatcherType;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.boot.web.servlet.ServletComponentScan;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import com.ruoyi.common.utils.StringUtils;
import com.ruoyi.common.xss.XssFilter;
/**
* Filter配置
* @author ruoyi
*/
@Configuration
@ServletComponentScan
public class FilterConfig
{
@Value("${xss.enabled}")
private String enabled;
@Value("${xss.excludes}")
private String excludes;
@Value("${xss.urlPatterns}")
private String urlPatterns;
@SuppressWarnings({ "rawtypes", "unchecked" })
@Bean
public FilterRegistrationBean xssFilterRegistration()
{
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setDispatcherTypes(DispatcherType.REQUEST);
registration.setFilter(new XssFilter());
registration.addUrlPatterns(StringUtils.split(urlPatterns, ","));
registration.setName("xssFilter");
registration.setOrder(Integer.MAX_VALUE);
Map<String, String> initParameters = new HashMap<String, String>();
initParameters.put("excludes", excludes);
initParameters.put("enabled", enabled);
registration.setInitParameters(initParameters);
return registration;
}
}
应用重启后能识别和处理@WebFilter注解,能进入init方法并根据urlPatterns过滤静态文件。方案4只扫描该目录或其子目录的@WebFilter,其他目录不会扫描。
总结:
比较以上4个方案,方案4是最理想的解决方案。