本例应用反射技术和责任链模式实现了反SQL注入和反SCRIPT注入这个功能。它对于系统来说是可插拨的,这样就实现了与系统的松散耦合。
它的主要思想是:把Form对象,PO对象以及VO等对象中的String型属性的值进行过滤后重新封闭为原有类型的对象。在获取对象的时候应用了java反映技术,在进行过滤的时候,实现了链式过滤。这样做,就是为了达到可维护性,可扩展性,可重用性以及灵活性的目的。
以下是源代码:
public class Request {
// 存储需要过滤的字符串
private String requestStr;
public String getRequestStr() {
return requestStr;
}
public void setRequestStr(String requestStr) {
this.requestStr = requestStr;
}
}
public class FilterConstant {
public static String[][] sqlFilter = {{";",""},{"'",""},{"--",""},{"%",""}}; //定义sql过滤的内容
public static String[][] scriptFilter = {{"<","<"},{">",">"}}; //定义script过滤的内容
}
public interface IFilter {
void doFilter(Request request, FilterChain chain);
}
public class ScriptFilter implements IFilter {
@Override
public void doFilter(Request request, FilterChain chain) {
if (request != null) {
String strRequest = request.getRequestStr();
String[][] scriptFilter = FilterConstant.scriptFilter;
for (String[] strings : scriptFilter) {
strRequest = strRequest.replace(strings[0], strings[1]);
}
request.setRequestStr(strRequest);
}
chain.doFilter(request, chain);
}
}
public class SqlFilter implements IFilter {
@Override
public void doFilter(Request request, FilterChain chain) {
if (request != null) {
String strRequest = request.getRequestStr();
String[][] scriptFilter = FilterConstant.sqlFilter;
for (String[] strings : scriptFilter) {
strRequest = strRequest.replace(strings[0], strings[1]);
}
request.setRequestStr(strRequest);
}
chain.doFilter(request, chain);
}
}
import java.util.ArrayList;
import java.util.List;
public class FilterChain implements IFilter {
// 使用 List 保存过滤器
private List<IFilter> filters = new ArrayList<IFilter>();
private int index = 0;
// 用于添加过滤器,可以添加实现了IFilter接口的FilterChain
public FilterChain addFilter(IFilter f) {
this.filters.add(f);
return this;
}
@Override
public void doFilter(Request request, FilterChain chain) {
// 判断是否是否遍历到 List 的最大值,如果是 return
if (index == filters.size())
return;
// 逐一获取过滤器
IFilter f = filters.get(index);
// 此过滤器链的下标,是遍历过滤器的索引
index++;
// 使用列表中的第index个过滤器,将更改后的 request ,chain 传进去,
f.doFilter(request,chain);
index = 0;
}
}
public class FilterHelper {
/*
* 过滤方法,实现链式过滤;传入String ,返回String;
*
*/
public static String doFilter(String str) throws Exception {
if(str==null||str=="")return null ;
Request request = new Request();
request.setRequestStr(str);
FilterChain fChain = new FilterChain();
fChain.addFilter(new SqlFilter()).addFilter(new ScriptFilter());
fChain.doFilter(request, fChain);
return request.getRequestStr();
}
}
import java.lang.reflect.Field;
public class Filter {
/*
* 参数:Object,接收ActionForm,Plain Object,View
* Object;它们的属性值应为单值类型,不能为复合类型或数组类型; 返回值:Object; 作用:根据已定义的过滤规则,过滤所传入Object值;
*/
public static Object objectFilter(Object obj) throws Exception {
if (obj == null)
return obj;
Class clazz = obj.getClass();
if (clazz.isArray() || clazz.isInterface() || clazz.isPrimitive())
return obj;
Field[] fds = clazz.getDeclaredFields();
for (Field field : fds) {
if (field.getType().getName().equals("java.lang.String")) {
field.setAccessible(true);
Object before = field.get(obj);
if(before!=null)
field.set(obj, FilterHelper.doFilter(before.toString()));
}
}
return obj;
}
}
以上内容为全部核心代码;
使用方法:在struts1.x中,
可照此样调用:
CaseForm caseForm = (CaseForm) form;
caseForm =(CaseForm)Filter.objectFilter(caseForm); //重写Form的内容;