Filter代码:
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class SqlInjectionFilter implements Filter {
protected FilterConfig filterConfig;
protected String sqlkey = null;
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
// 过滤掉的sql关键字,可以手动添加 (注意:要过滤中的参数,不能作为系统的URL参数或是表单提交参数)
this.sqlkey = "'%20@document.cookie@xp_cmdshell@'@;@!@*@%3d@%20http@https%20@%20or%20@%6a%61%76%61%73%63%72%69%70%74@%3c@%3e@--@exec@script@javascript@vbscript@expression@script@ftp@dircount@chr@master@truncate@declare@;@dbms@\\(|\\)@<img@%3cimg@like@select@delete@update@into@where@from@alert@<@>@(@)@'@''@\'@\''@<>@()@eval@and+@[window@xml@gbk@uf8@href=@source+@.org@.net@.source@ScRiPt@src=@prompt@expression@width@div@";
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
System.out.println("==进入sql过滤器===");
HttpServletRequest httprequest = (HttpServletRequest) request;
HttpServletResponse httpresponse = (HttpServletResponse) response;
// 用于使 Browser 不缓存页面的过滤器
httpresponse.setHeader("Cache-Control", "no-cache");
httpresponse.setHeader("Pragma", "no-cache");
httpresponse.setDateHeader("Expires", -1);
List<String[]> list = new ArrayList();
// 获取url上所有参数的集合
java.util.Enumeration enu = httprequest.getParameterNames();
String strurl = httprequest.getRequestURI();
String url = httprequest.getScheme() + "://";
url += httprequest.getHeader("host");
url += httprequest.getRequestURI();
if (httprequest.getQueryString() != null)
url += "?" + httprequest.getQueryString();
strurl = url;
// 把要过滤的字符形成数据
// 通过分割sqlkey字符中的参数获取StringTokenizer记录
String[] temps = sqlkey.split("@");
String temp = "";
boolean blag = false;
for (int i = 0, leng = temps.length; i < leng; i++) {
temp = temps[i].toLowerCase();
strurl = strurl.toLowerCase();
// System.out.println("路径:"+strurl);
// System.out.println("检查字符:"+temp);
// System.out.println("位置结果:"+strurl.indexOf(temp));
if (strurl.indexOf(temp) > 1) {
System.out.println("路径:" + strurl + "有特殊字符 '" + temp + "' 已进行拦截!");
blag = true;
break;
}
}
String refer = httprequest.getHeader("referer");
if (refer != null) {
for (int i = 0, leng = temps.length; i < leng; i++) {
temp = temps[i].toLowerCase();
refer = refer.toLowerCase();
// System.out.println("路径:"+strurl);
// System.out.println("检查字符:"+temp);
// System.out.println("位置结果:"+strurl.indexOf(temp));
if (refer.indexOf(temp) > 1) {
System.out.println("header:" + refer + "有特殊字符 '" + temp + "' 已进行拦截!");
blag = true;
break;
}
}
}
if (blag) {
// 被过滤掉后的执行动作可自定义
// httpresponse.sendRedirect("/error.jsp");
// PrintWriter out = httpresponse.getWriter();
// out.println("<script language=\"JavaScript\">");
String path = httprequest.getContextPath();
// out.println("location.href='"+path+"/badrequest.jsp';");
// out.println("</script>");
httpresponse.sendRedirect(path + "/badrequest.jsp");
} else {
chain.doFilter(request, response);
}
System.out.println("==结束sql过滤器===");
}
public void destroy() {
this.sqlkey = null;
this.filterConfig = null;
}
}
config代码:
import java.util.Map;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import com.google.common.collect.Maps;
import com.SqlInjectionFilter;
@Configuration
public class FilterConfig {
@Bean
public FilterRegistrationBean sqlFilterRegistrationBean() {
FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
filterRegistrationBean.setFilter(new SqlInjectionFilter());
filterRegistrationBean.setOrder(3);
filterRegistrationBean.setEnabled(true);
filterRegistrationBean.addUrlPatterns("/*");
Map<String, String> initParameters = Maps.newHashMap();
/*initParameters.put("excludes", "/favicon.ico,/img/*,/js/*,/css/*");
initParameters.put("isIncludeRichText", "true");*/
filterRegistrationBean.setInitParameters(initParameters);
return filterRegistrationBean;
}
}