import java.io.File;
import java.io.FileInputStream;
import java.io.FileReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.io.Reader;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.springframework.util.ResourceUtils;
import com.itsv.gbp.core.web.filter.CustomException;
/**
* @preserve
*/
public class IntceptorFilter extends HttpServlet implements Filter {
private FilterConfig filterConfig; // Handle the passed-in FilterConfig
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
/**
* Process the request/response pair
*
* @preserve
*/
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain filterChain) throws IOException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
// hwj
res.addHeader("Set-Cookie", " Path=/; HttpOnly"); //Cookie 缺少 HttpOnly属性
res.addHeader("X-Frame-Options","SAMEORIGIN"); //防止 x-frame-options 缺失
/*x-frame-options 属性值
* DENY 表示该页面不允许在 frame 中展示,即便是在相同域名的页面中嵌套也不允许。
* SAMEORIGIN 表示该页面可以在相同域名页面的 frame 中展示
* ALLOW-FROM uri表示该页面可以在指定来源的 frame 中展示。
*/
// 头攻击检测host 添加白名单
String requestHost = req.getHeader("host"); //当前访问的url地址host
if (requestHost != null && !isWhite(requestHost)) {
res.setStatus(403);
return;
}
// clientRequest 记录真正的被请求的 URL 比如 /index.jsp;/login.jsp;/
String home = req.getScheme() + "://" + req.getServerName() + ":"
+ req.getServerPort();
String clientRequest = req.getRequestURL() + "?" + req.getQueryString();// req.getServletPath();
System.out.println("过滤器===========" + clientRequest);
// -------lfh 2016.2.24,针对登陆界面的参数判断--------//
Map parameters = request.getParameterMap();
if (parameters != null && parameters.size() > 0) {
for (Iterator iter = parameters.keySet().iterator(); iter.hasNext();) {
String key = (String) iter.next();
String[] values = (String[]) parameters.get(key);
if ("dwdm".equals(key) || "password".equals(key)
|| "dwdjzh".equals(key)) {
for (int i = 0; i < values.length; i++) {
if (!valueFilter1(values[i])