前言
Glassfish5.0.0
分析 glassfish Filter内存马
环境搭建
HelloFilter
分析Filter
首先在Servlet中打下断点,观察调用栈,
观察调用栈,在StandardWrapper中第一次调用了doFilter,再次说明,个人认为,分析一个filter运行的过程。首先要关注的是filterchain是如何生成的。因为只有filterchain生成之后,才能说去调用doFilter,让filter起作用。而第一次调用doFilter的时候往往就能找到关于filterchain的线索。
org.apache.catalina.core.StandardWrapperValve:invoke(),调用了filterChain.doFilter(hreq, hres);
关注filterChain是如何生成的。
org.apache.catalina.core.StandardWrapperValve:invoke()中第120行代码。调用了createFilterChain,跟进该方法。
ApplicationFilterChain filterChain = factory.createFilterChain((ServletRequest)request, wrapper, servlet);
public ApplicationFilterChain createFilterChain(ServletRequest request, Wrapper wrapper, Servlet servlet) {
if (servlet == null) {
return null;
} else {
ApplicationFilterChain filterChain = null;
StandardContext context = (StandardContext)wrapper.getParent();
List filterMaps = context.findFilterMaps();
if (filterMaps.isEmpty()) {
return filterChain;
} else {
DispatcherType dispatcher = request.getDispatcherType();
String requestPath = null;
Object attribute = request.getAttribute(“org.apache.catalina.core.DISPATCHER_REQUEST_PATH”);
if (attribute != null) {
requestPath = attribute.toString();
}
String servletName = wrapper.getName();
int n = 0;
Iterator i = filterMaps.iterator();
FilterMap filterMap;
ApplicationFilterConfig filterConfig;
while(i.hasNext()) {
filterMap = (FilterMap)i.next();
if (filterMap.getDispatcherTypes().contains(dispatcher) && this.matchFiltersURL(filterMap, requestPath, context.isCaseSensitiveMapping())) {
filterConfig = (ApplicationFilterConfig)context.findFilterConfig(filterMap.getFilterName());
if (filterConfig != null) {
if (filterChain == null) {
filterChain = this.internalCreateFilterChain(request, wrapper, servlet);
}
filterChain.addFilter(filterConfig)
最低0.47元/天 解锁文章
扫一扫
230
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
