1.配置拦截器
package ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
/**
* 系统中的拦截器配置
*
* @author ShuoYuan
*
*/
@Configuration
public class InterceptorConfigurer extends WebMvcConfigurerAdapter {
@Autowired
private IEventService eventService;
/**
* * 配置静态资源
*/
public void addResourceHandlers(ResourceHandlerRegistry registry) {
("/static/**").addResourceLocations("classpath:/static/");
("/templates/**").addResourceLocations("classpath:/templates/");
(registry);
}
@Override
public void addInterceptors(InterceptorRegistry registry) {
// addPathPatterns 用于添加拦截规则
// excludePathPatterns 用于排除拦截
// 地址拦截器
(new SessionInterceptor())
.addPathPatterns("/**")
.excludePathPatterns("/user/login") // 登录页
.excludePathPatterns("/api/code/get/pageCode");// 登陆验证码
(registry);
// 用户操作日志拦截器
(new EventInterceptor(eventService));
}
}
package ;
import org.;
import org.;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
/**
* Created by 20160216 on 2018/2/8.
*/
public class SessionInterceptor extends HandlerInterceptorAdapter {
private Logger logger = ();
// 拦截前处理
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object o) throws Exception {
("经过拦截器拦截前处理啦。。。。。");
try {
RequestWrapper requestWrapper = new RequestWrapper(request);
// 获取@RequestBody注解参数和post请求参数
String body = ();
("拦截器输出body:" + body);
("uri=" + ());
// 获取get请求参数
Map<String, String[]> ParameterMap = ();
("参数个数:" + ());
Map reqMap = new HashMap();
Set<<String, String[]>> entry = ();
Iterator<<String, String[]>> it = ();
while (()) {
<String, String[]> me = ();
String key = ();
String value = ()[0];
(key, value);
}
String queryString = ((reqMap));
(queryString);
// 不做拦截的地址
if (().equals("/api/code/get/pageCode")) {
return true;
}
// 验证session是否存在
Object obj = ().getAttribute("_session_user");
if (obj == null) {
("/user/login_view");//重定向
return false;
}
return true;
} catch (Exception e) {
("权限判断出错", e);
}
return false;
}
// 拦截后处理
@Override
public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o,
ModelAndView modelAndView) throws Exception {
}
// 全部完成后处理
@Override
public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse,
Object o, Exception e) throws Exception {
}
}
package ;
import ;
import ;
import ;
import ;
import .*;
public class RequestWrapper extends HttpServletRequestWrapper {
private final String body;
public RequestWrapper(HttpServletRequest request) {
super(request);
StringBuilder stringBuilder = new StringBuilder();
BufferedReader bufferedReader = null;
InputStream inputStream = null;
try {
inputStream = ();
if (inputStream != null) {
bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
char[] charBuffer = new char[128];
int bytesRead = -1;
while ((bytesRead = (charBuffer)) > 0) {
(charBuffer, 0, bytesRead);
}
} else {
("");
}
} catch (IOException ex) {
} finally {
if (inputStream != null) {
try {
();
}
catch (IOException e) {
();
}
}
if (bufferedReader != null) {
try {
();
}
catch (IOException e) {
();
}
}
}
body = ();
}
@Override
public ServletInputStream getInputStream() throws IOException {
final ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(());
ServletInputStream servletInputStream = new ServletInputStream() {
@Override
public boolean isFinished() {
return false;
}
@Override
public boolean isReady() {
return false;
}
@Override
public void setReadListener(ReadListener readListener) {
}
@Override
public int read() throws IOException {
return ();
}
};
return servletInputStream;
}
@Override
public BufferedReader getReader() throws IOException {
return new BufferedReader(new InputStreamReader(()));
}
public String getBody() {
return ;
}
}
package ;
import ;
import ;
import ;
import ;
import ;
public class JSONUtils {
/**
* Bean对象转JSON
*
* @param object
* @param dataFormatString
* @return
*/
public static String beanToJson(Object object, String dataFormatString) {
if (object != null) {
if ((dataFormatString)) {
return (object);
}
return (object, dataFormatString);
} else {
return null;
}
}
/**
* Bean对象转JSON
*
* @param object
* @return
*/
public static String beanToJson(Object object) {
if (object != null) {
return (object);
} else {
return null;
}
}
/**
* String转JSON字符串
*
* @param key
* @param value
* @return
*/
public static String stringToJsonByFastjson(String key, String value) {
if ((key) || (value)) {
return null;
}
Map<String, String> map = new HashMap<String, String>();
(key, value);
return beanToJson(map, null);
}
/**
* 将json字符串转换成对象
*
* @param json
* @param clazz
* @return
*/
public static Object jsonToBean(String json, Object clazz) {
if ((json) || clazz == null) {
return null;
}
return (json, ());
}
/**
* json字符串转map
*
* @param json
* @return
*/
@SuppressWarnings("unchecked")
public static Map<String, Object> jsonToMap(String json) {
if ((json)) {
return null;
}
return (json, );
}
public static JSONObject MapToJson(Map m){
JSONObject json = new JSONObject(m);
return json;
}
public static String JsonToString(JSONObject json){
return ();
}
}
package ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
import .;
import .;
import .;
import ;
/**
*
* 非法字符过滤器(防SQL注入,防XSS漏洞)
*
*
*/
public class XssFilter implements Filter {
private static final Logger logger = ();
/**
* 排除部分URL不做过滤
*/
private List<String> excludeUrls = new ArrayList<String>();
/**
* 公告新增、修改用到富文本,对标签进行转义
*/
private List<String> noticeUrls = new ArrayList<String>();
public void doFilter(ServletRequest arg0, ServletResponse arg1, FilterChain arg2)
throws IOException, ServletException {
("================进入过滤器======================");
HttpServletResponse response = (HttpServletResponse) arg1;
ServletRequest req = null;
if(arg0 instanceof HttpServletRequest) {
req = new RequestWrapper((HttpServletRequest) arg0);
// 获取@RequestBody注解参数和post请求参数
String body = ((RequestWrapper) req).getBody();
("过滤器输出body:" + body);
HttpServletRequest req1 = (HttpServletRequest) req;
String pathInfo = () == null ? "" : ();
String url = () + pathInfo;
String uri = ();
boolean isNoticeUrl = false;
// 排除部分URL不做过滤。
for (String str : excludeUrls) {
if ((str) >= 0) {
("该URL不作校验:" + url);
(req, response);
return;
}
}
for (String st : noticeUrls) {
if ((st) >= 0) {
isNoticeUrl = true;
break;
}
}
List<String> ll=getvalue(body);
// 获取请求所有参数值,校验防止SQL注入,防止XSS漏洞
if(ll!=null){
for(String ss:ll) {
// 校验是否存在SQL注入信息
if (checkSQLInject(ss, url)) {
errorResponse(response, ss);
return;
}
}}
}
if(req == null) {
(arg0, response);
} else {
(req, response);
}
}
public List<String> getvalue(String str){
int len=();
if(len>5){
List<String> l=new ArrayList<String>();
for(int i=0;i<len;i++){
if((i)==':'){
i++;
if((i)=='"'){
int ii=('"', i+1);
((i+1, ii));
i=ii;
}
}
}
return l;
}
else return null;
}
private void errorResponse(HttpServletResponse response, String paramvalue) throws IOException {
String warning = "输入项中不能包含非法字符。";
("text/html; charset=UTF-8");
PrintWriter out = ();
("{\"httpCode\":\"-9998\",\"msg\":\"" + warning + "\", \"输入值\": \"" +paramvalue + "\"}");
();
();
}
public void destroy() {
}
public void init(FilterConfig filterconfig1) throws ServletException {
// 读取文件
String path = ("/").getFile();
excludeUrls = readFile(path + "");
("notice!saveNotice");
("notice!updateNoticeById");
}
/**
* 读取白名单
*
* @param fileName
* @return
*/
private List<String> readFile(String fileName) {
List<String> list = new ArrayList<String>();
BufferedReader reader = null;
FileInputStream fis = null;
try {
File f = new File(fileName);
if (() && ()) {
fis = new FileInputStream(f);
reader = new BufferedReader(new InputStreamReader(fis, "UTF-8"));
String line;
while ((line = ()) != null) {
if (!"".equals(line)) {
(line);
}
}
}
} catch (Exception e) {
("readFile", e);
} finally {
try {
if (reader != null) {
();
}
} catch (IOException e) {
("InputStream关闭异常", e);
}
try {
if (fis != null) {
();
}
} catch (IOException e) {
("FileInputStream关闭异常", e);
}
}
return list;
}
private String xssEncode(String s) {
if (s == null || ()) {
return s;
}
/*("||", "");
("|", "");
(regex, replacement)*/
StringBuilder sb = new StringBuilder(() + 16);
for (int i = 0; i < (); i++) {
char c = (i);
switch (c) {
case '>':
('>');// 全角大于号
break;
case '<':
('<');// 全角小于号
break;
case '\'':
('‘');// 全角单引号
break;
case '\"':
('“');// 全角双引号
break;
case '&':
('&');// 全角
break;
case '\\':
('\');// 全角斜线
break;
case '#':
('#');// 全角井号
break;
case '(':
('(');//
break;
case ')':
(')');//
break;
default:
(c);
break;
}
}
return ();
}
/**
*
* 检查是否存在非法字符,防止SQL注入
*
* @param str
* 被检查的字符串
* @return ture-字符串中存在非法字符,false-不存在非法字符
*/
public static boolean checkSQLInject(String str, String url) {
if ((str)) {
return false;// 如果传入空串则认为不存在非法字符
}
// 判断黑名单
String[] inj_stra = { "script", "mid", "master", "truncate", "insert", "select", "delete", "update", "declare",
"iframe", "'", "onreadystatechange", "alert", "atestu", "xss", ";", "'", "\"", "<", ">", "(", ")", ",",
"\\", "svg", "confirm", "prompt", "onload", "onmouseover", "onfocus", "onerror" };
str = (); // sql不区分大小写
for (int i = 0; i < inj_stra.length; i++) {
if ((inj_stra[i]) >= 0) {
("xss防攻击拦截url:" + url + ",原因:特殊字符,传入str=" + str + ",包含特殊字符:" + inj_stra[i]);
return true;
}
}
return false;
}
}