@Author Jacky Wang
轉載請注明出處 http://www.reibang.com/p/54204da0222d
在Spring中也可以這樣使用.
2018年09月10日脓诡,第一次補充更新祝谚。
一酣衷、在SpringBoot中使用Filter過濾器
1. 添加依賴
2. 自定義一個類實現Filter接口
3. 使用@SpringBootConfiguration作為配置類交Spring管理
4. 使用@WebFilter注解
注意:
@WebFilter注解中urlPatterns過濾路徑配置不支持。
因此采用其他方式實現對路經過濾的控制商玫。
代碼如下牡借。
1. 添加依賴
pom:
<dependency>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-servlet-api</artifactId>
<version>8.0.36</version>
<scope>provided</scope>
</dependency>
<!-- https://mvnrepository.com/artifact/javax.servlet/servlet-api -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
<scope>provided</scope>
</dependency>
2. 自定義過濾器
@SpringBootConfiguration
@WebFilter(filterName = "XssFilter",urlPatterns = {"/*"})
@Order(value = 1)
public class XssFilter implements Filter {
/**無需攔截的,無需進行xss過濾的uri地址*/
private static final Set<String> ALLOWED_PATHS = Collections.unmodifiableSet(new HashSet<>(Arrays.asList("/pay/wxNotify","/pay/alNotify","/pay/gateway")));
@Override
public void init(FilterConfig filterConfig) throws ServletException {
// TODO Auto-generated method stub
}
@Override
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest)req;
HttpServletResponse response = (HttpServletResponse)resp;
String path = request.getRequestURI().substring(request.getContextPath().length()).replaceAll("[/]+$", "");
boolean allowedPath = ALLOWED_PATHS.contains(path);
if(allowedPath) {
System.out.println("這里是不需要處理的url進入的方法");
chain.doFilter(req, res);
}else {
System.out.println("這里是需要處理的url進入的方法");
}
}
@Override
public void destroy() {
// TODO Auto-generated method stub
}
}
PS:
1. @Order中的value越小,優(yōu)先級越高碴里。
2. ALLOWED_PATHS是一個集合,存放的是需要不需要過濾的URL
二咬腋、在SpringBoot中使用Interceptor攔截器
1. 添加依賴
2. 自定義一個攔截器實現HandlerInterceptor,實現preHandle,postHandle陵像,afterCompletion三個方法寇壳。
3. 自定義攔截器配置類繼承自WebMvcConfigurerAdapter,重寫addInterceptors將自定義的攔截器添加至注冊中心泞歉。
示例代碼如下:
1. 添加依賴
<dependency>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-servlet-api</artifactId>
<version>8.0.36</version>
<scope>provided</scope>
</dependency>
<!-- https://mvnrepository.com/artifact/javax.servlet/servlet-api -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
<scope>provided</scope>
</dependency>
2. 自定義攔截器
public class SqlInjectAndXssInterceptor implements HandlerInterceptor {
@Override
public void afterCompletion(HttpServletRequest arg0, HttpServletResponse arg1, Object arg2, Exception arg3)
throws Exception {
}
@Override
public void postHandle(HttpServletRequest arg0, HttpServletResponse arg1, Object arg2, ModelAndView arg3)
throws Exception {
}
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
throws Exception {
// 如果不是映射到方法直接通過
if (!(handler instanceof HandlerMethod)) {
return true;
}
HandlerMethod handlerMethod = (HandlerMethod) handler;
Method method = handlerMethod.getMethod();
// 判斷是否需要進行xss清理
XssInterceptor xssAnnotation = method.getAnnotation(XssInterceptor.class);
if (xssAnnotation != null) {
Enumeration<String> parameterNames = request.getParameterNames();
while (parameterNames.hasMoreElements()) {
String name = (String) parameterNames.nextElement();
String[] values = request.getParameterValues(name);
for (String value : values) {
// sql注入直接攔截
if (judgeSQLInject(value.toLowerCase())) {
response.setContentType("text/html;charset=UTF-8");
response.getWriter().print("參數含有非法攻擊字符,已禁止繼續(xù)訪問");
return false;
}
// 跨站xss清理
clearXss(value);
}
}
return true;
}
return true;
}
}
2. 添加攔截器到注冊中心
@SpringBootConfiguration
public class WebMVCInterceptors extends WebMvcConfigurerAdapter {
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(sqlInjectAndXssInterceptor()).addPathPatterns("/**");
super.addInterceptors(registry);
}
@Bean
public SqlInjectAndXssInterceptor sqlInjectAndXssInterceptor() {
return new SqlInjectAndXssInterceptor();
}
}
三偿洁、【推薦】使用配置類動態(tài)添加攔截器及過濾路徑
- 添加Maven依賴
- 編寫自定義攔截器(實現HandlerInterceptor接口)
- 繼承WebMvcConfigurerAdapter實現攔截器注冊類
- 編寫攔截器配置類,動態(tài)配置攔截器及路徑攔截
1. 添加Maven依賴
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
2. 編寫自定義攔截器,eg:UserLoginInterceptor
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
/**
* @ClassName: UserLoginInterceptor
* @Description:TODO(用戶登陸攔截器)
* @author: wwj
* @date: 2018年8月1日 下午10:29:21
*/
@Component
@SuppressWarnings("rawtypes")
public class UserLoginInterceptor implements HandlerInterceptor {
private Logger logger = LoggerFactory.getLogger(UserLoginInterceptor.class);
@Autowired
private RedisService redisService;
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
throws Exception {
DreamResponse json = new DreamResponse();
json.setCode(ForeverConst.CodeStatus.NOT_LOGIN);
json.setStatus(ForeverConst.FAIL);
String token = request.getParameter(ForeverConst.UserStatus.TOKEN);
if (StringUtils.isEmpty(token)) {
token = request.getHeader(ForeverConst.UserStatus.TOKEN);
}
if (StringUtils.isEmpty(token)) {
json.setMsg("token值為空!");
return this.showTip(response, json);
}
User user = redisService.getUserInfoByToken(token);
if (StringUtils.isEmpty(user)) {
json.setMsg("token值已過期請重新獲取token值登錄!");
return this.showTip(response, json);
}
request.setAttribute(ForeverConst.UserStatus.LOGIN_USER, user);
return true;
}
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler,
ModelAndView modelAndView) throws Exception {
// TODO Auto-generated method stub
}
@Override
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex)
throws Exception {
// TODO Auto-generated method stub
}
private boolean showTip(HttpServletResponse response, DreamResponse json) {
response.setCharacterEncoding("UTF-8");
response.setContentType("text/json; charset=utf-8");
PrintWriter out = null;
try {
out = response.getWriter();
out.append(FastJsonUtils.toJSONString(json));
} catch (IOException e) {
logger.error("攔截器錯誤,{}", e);
} finally {
if(out != null) {
out.close();
}
}
return false;
}
}
3. 實現攔截器注冊類
import java.util.ArrayList;
import java.util.List;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
/**
* @ClassName: WebMVCInterceptors
* @Description:TODO(自定義攔截器注冊類)
* @author: wwj
* @date: 2018年8月1日 下午10:29:06
*/
public class WebMVCInterceptors extends WebMvcConfigurerAdapter {
private List<String> inpathPatterns = new ArrayList<String>();
private List<String> expathPatterns = new ArrayList<String>();
private List<HandlerInterceptor> interceptorlist = new ArrayList<HandlerInterceptor>();
@Override
public void addInterceptors(InterceptorRegistry registry) {
// 注冊自定義攔截器,并配置可訪問路徑
for (HandlerInterceptor intercept : interceptorlist) {
registry.addInterceptor(intercept)
.addPathPatterns(inpathPatterns.toArray(new String[inpathPatterns.size()]))
.excludePathPatterns(expathPatterns.toArray(new String[expathPatterns.size()]));
}
}
/**
* Description:WEB跨域問題處理
*/
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**").allowedOrigins("*");
}
public WebMVCInterceptors setInpathPatterns(List<String> inpathPatterns) {
this.inpathPatterns = inpathPatterns;
return this;
}
public WebMVCInterceptors setExpathPatterns(List<String> expathPatterns) {
this.expathPatterns = expathPatterns;
return this;
}
public WebMVCInterceptors addHandlerInterceptor(HandlerInterceptor interceptor) {
interceptorlist.add(interceptor);
return this;
}
}
4. 攔截器配置類
import java.util.ArrayList;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.SpringBootConfiguration;
import org.springframework.context.annotation.Bean;
import cn.interceptor.UserLoginInterceptor;
import cn.interceptor.WebMVCInterceptors;
/**
* @ClassName: InterceptorConfig
* @Description:TODO(攔截器配置類)
* @author: wwj
* @date: 2018年8月7日 下午2:21:49
*/
@SpringBootConfiguration
public class InterceptorConfig {
/**
* @Fields userLoginInterceptor : TODO(自定義用戶登陸攔截器)
*/
@Autowired
private UserLoginInterceptor userLoginInterceptor;
@Bean
public WebMVCInterceptors webMVCInterceptors() {
// 攔截路徑
List<String> includePaths = new ArrayList<String>();
includePaths.add("/container/**");
includePaths.add("/customer/**");
includePaths.add("/device/**");
includePaths.add("/product/**");
includePaths.add("/user/**");
includePaths.add("/command/**");
// 不攔截路徑
List<String> excludePaths = new ArrayList<String>();
excludePaths.add("/user/login");
excludePaths.add("/user/logout");
return new WebMVCInterceptors().setInpathPatterns(includePaths).setExpathPatterns(excludePaths)
.addHandlerInterceptor(userLoginInterceptor);
}
}
如上,若要新增配置類,只需要自定義攔截器,在攔截器配置類中新增攔截器及相應的攔截路徑即可.
