class HandlerExecutionChainWrapper extends HandlerExecutionChain { private BeanFactory beanFactory; private HandlerMethod handlerWrapper; private byte[] lock = new byte[0]; public HandlerExecutionChainWrapper(HandlerExecutionChain chain, HttpServletRequest request, BeanFactory beanFactory) { super(chain.getHandler(), chain.getInterceptors()); this.beanFactory = beanFactory; } @Override public Object getHandler() { if (this.handlerWrapper != null) { return this.handlerWrapper; } synchronized (this.lock) { if (this.handlerWrapper != null) { return this.handlerWrapper; } HandlerMethod superMethodHandler = (HandlerMethod) super.getHandler(); Object proxyBean = createProxyBean(superMethodHandler); this.handlerWrapper = new HandlerMethod(proxyBean, superMethodHandler.getMethod()); return this.handlerWrapper; } } private Object createProxyBean(HandlerMethod handler) { try { Enhancer enhancer = new Enhancer(); enhancer.setSuperclass(handler.getBeanType()); Object bean = handler.getBean(); if ((bean instanceof String)) { bean = this.beanFactory.getBean((String) bean); } ControllerXssInterceptor xss = new ControllerXssInterceptor(bean); enhancer.setCallback(xss); return enhancer.create(); } catch (Exception e) { throw new IllegalStateException("为Controller创建代理失败:" + e.getMessage(), e); } } public static class ControllerXssInterceptor implements MethodInterceptor { private Object target; private List<String> objectMatchPackages; public ControllerXssInterceptor(Object target) { this.target = target; this.objectMatchPackages = new ArrayList<String>(); this.objectMatchPackages.add("cn.com.linkwidejc.bi.entity"); } @Override public Object intercept(Object obj, Method method, Object[] args, MethodProxy proxy) throws Throwable { String methodName = method.getName(); if (("print".equals(methodName)) || ("export".equals(methodName)) || ("viewAppTable".equals(methodName)) || ("viewAppChart".equals(methodName))) { return method.invoke(this.target, args); } if (args != null) { for (int i = 0; i < args.length; i++) { if (args[i] != null) { if ((args[i] instanceof String)) { args[i] = stringXssReplace((String) args[i]); } else { for (String pk : this.objectMatchPackages) { if (args[i].getClass().getName().startsWith(pk)) { objectXssReplace(args[i]); break; } } } } } } return method.invoke(this.target, args); } private String stringXssReplace(String argument) { return RSBIUtils.htmlEscape(argument); } // 对象过滤 private void objectXssReplace(Object argument) throws IllegalAccessException { if (argument == null) { return; } for(Field f : argument.getClass().getDeclaredFields()){ f.setAccessible(true); if (String.valueOf(f.getType()).equals("class java.lang.String") && f.get(argument) != null && !StringUtil.isEmpty(String.valueOf(f.get(argument)))) { // 如果type是类类型,则前面包含"class ",后面跟类名 f.set(argument,RSBIUtils.htmlEscape(f.get(argument).toString())); } } } } }
java拦截器处理过滤对象中属性的特殊字符
最新推荐文章于 2022-08-18 15:43:21 发布