servlet过滤器防xss,sql注入.filter里修改parameter参数

浏览： ℃

字体：大中小

发布时间：2013-12-12 14:51:00

来源：

这中间起到最关键作用的就是HttpServletRequestWrapper

首先创建一个类继承HttpServletRequestWrapper。然后重写getAttribute,getParameter,getParameterValues,getParameterMap这几个方法。

public class OpRequestWrap extends HttpServletRequestWrapper {    public OpRequestWrap(HttpServletRequest request) {        super(request);    }    private String format(String name) {        return StringUtils.replaceEach(name,//                new String[]{"/"","'","<",">"},             //                new String[]{""","′","<",">"});        //return StringEscapeUtils.escapeHtml4(name);    }    /**     *     * @param name     * @return     */    public Object getAttribute(String name) {        Object value = super.getAttribute(name);        if (value instanceof String) {            value = format(String.valueOf(value));        }        return value;    }    /**     * 重写getParameter方法     *     * @param name     * @return     */    public String getParameter(String name) {        String value = super.getParameter(name);        if (value == null)            return null;        return format(value);    }    /**     *     * @param name     * @return     */    public String[] getParameterValues(String name) {        String[] values = super.getParameterValues(name);        if (values != null) {            for (int i = 0; i < values.length; i++) {                values[i] = format(values[i]);            }        }        return values;    }    /**     * @return     */    public Map getParameterMap() {        HashMap paramMap = (HashMap) super.getParameterMap();        paramMap = (HashMap) paramMap.clone();        for (Iterator iterator = paramMap.entrySet().iterator(); iterator.hasNext(); ) {            Map.Entry entry = (Map.Entry) iterator.next();            String [] values = entry.getValue();            for (int i = 0; i < values.length; i++) {                if(values[i] instanceof String){                    values[i] = format(values[i]);                }            }            entry.setValue(values);        }        return paramMap;    }}

然后配置一个过滤器;

   @Override    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {        filterChain.doFilter(new OpRequestWrap((HttpServletRequest) servletRequest),servletResponse);    }

请仔细看doFilter里面的request，这一步也很重要。它是对request进行包装，才能起到修改request中参数，属性的功能。