使用spring的DelegatingFilterProxy 写xss filter

最近需要写个xss过滤器,将访问网站的所有请求参数都进行xss过滤,过滤的api使用的是antisamy-1.4.4

java代码

 

public class XssFilter implements Filter {

	private static final Logger log = LoggerFactory.getLogger(XssFilter.class);
	
	public static final String POLICY_FILE_LOCATION = "antisamy-slashdot-1.4.4.xml";
	
    private List<String> filterChainDefinitions;
    
	@Override
	public void init(FilterConfig filterConfig) throws ServletException {
		// TODO Auto-generated method stub
		
	}

	@Override
	public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain chain) throws IOException, ServletException {
		String path = ((HttpServletRequest) request).getContextPath();
		String uri = ((HttpServletRequest) request).getRequestURI().replace(path, "");
		Map m = request.getParameterMap();
		if (matchUri(uri)) {
			try {
				m = this.clearRequestPra(request,new HashMap());
			} catch (Exception e) {
				log.info(e.toString());
			}
		}
		
		ParameterRequestWrapper wrapRequest=new ParameterRequestWrapper(((HttpServletRequest) request),m);         
	    chain.doFilter(wrapRequest, response); 
	}
	
	private Map clearRequestPra(ServletRequest request,Map m)
	{
		Map params = request.getParameterMap();
		
	      Set<String> keys = params.keySet();  
	      for (String key : keys) { 
	    	Object value = params.get(key);
	    	if (value instanceof String[]) {
            	value = (String[])value;
            	String[] str = (String[])value; 
            		int i =0;
                	for(String v:(String[])value)
                	{
                		v = this.scan(v);
                		str[i] = new String(v);
                		i++;
                	}
                	m.put(key,str);
	    	}
	    	else
	    	{
	    		m.put(key,value);
	    	}
	      }
		
        return m;
	}
	
	private String scan(String content)
	{
		String cleanHtml = "";
		try{
			Policy policy = Policy.getInstance(POLICY_FILE_LOCATION);
			AntiSamy as = new AntiSamy();
			CleanResults cr = as.scan(content, policy);
			cleanHtml = cr.getCleanHTML();
		}
		catch(Exception e)
		{
			log.info(e.toString());
		}
		return cleanHtml;
	}
	
	private boolean matchUri(String uri)
	{
		for(String pattern:filterChainDefinitions)
		{
			if(Pattern.matches(pattern,uri))
			{
				return true;
			}
				
		}
		return false;
	}

	@Override
	public void destroy() {
		// TODO Auto-generated method stub
		
	}

	public List<String> getFilterChainDefinitions() {
		return filterChainDefinitions;
	}

	public void setFilterChainDefinitions(List<String> filterChainDefinitions) {
		this.filterChainDefinitions = filterChainDefinitions;
	}
	
}

 application-context-security.xml

 

<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
	xmlns:tx="http://www.springframework.org/schema/tx" xmlns:context="http://www.springframework.org/schema/context"
	xmlns:util="http://www.springframework.org/schema/util"
	xsi:schemaLocation="  
         http://www.springframework.org/schema/beans  
         http://www.springframework.org/schema/beans/spring-beans-3.0.xsd  
         http://www.springframework.org/schema/context   
         http://www.springframework.org/schema/context/spring-context-3.0.xsd  
         http://www.springframework.org/schema/util  
         http://www.springframework.org/schema/util/spring-util-3.0.xsd"
	default-lazy-init="true">
	
	<description>Security Config</description>
	
	<!-- Shiro Filter -->
	<bean id="xssFilter" class="com.shurrik.security.XssFilter">
		<property name="filterChainDefinitions">
			<list>
				<!-- <value>^/module.*</value> -->
				<value>^/.*</value>
			</list>
		</property>	
	</bean>

</beans>  

 

web.xml 

 

	<!-- Xss filter-->
	<filter>
		<filter-name>xssFilter</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	    <init-param>
	        <param-name>targetFilterLifecycle</param-name>
	        <param-value>true</param-value>
	    </init-param>
	    <init-param>
	        <param-name>targetBeanName</param-name>
	        <param-value>xssFilter</param-value>
	    </init-param>	    
	</filter>
		
	<filter-mapping>
		<filter-name>xssFilter</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
		<dispatcher>INCLUDE</dispatcher>		
	</filter-mapping>

 

你可能感兴趣的:(spring,Security,filter,xss)