springboot 项目前后端接口,防止xss攻击以及跨域问题解决

1、启动类添加注解

@ServletComponentScan

2、cors的拦截类

package com.longfor.hrssc.api.config;

import com.longfor.hrssc.common.util.ResultUtils;

import org.springframework.beans.factory.annotation.Value;

import org.springframework.context.annotation.PropertySource;

import org.springframework.stereotype.Component;

import javax.servlet.*;

import javax.servlet.annotation.WebFilter;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import java.io.IOException;

import java.util.Arrays;

import java.util.HashSet;

import java.util.Set;

@Component

@PropertySource("classpath:application-dev.yml")

@WebFilter(urlPatterns = "/*", filterName = "CorsFilter")

public class CorsFilter implements Filter {

    @Value("${bpm.fiter.domain}")

    private String allowDomains;

    @Override

    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

        HttpServletResponse response = (HttpServletResponse) res;

        HttpServletRequest reqs = (HttpServletRequest) req;

        // 设置允许多个域名请求

        //String[] allowDomains = {"http://www.xxxx.xin","http://xxxx:8080","http://localhost:8080"};

        String[] allowDomain = allowDomains.split(",");

        Set allowOrigins = new HashSet(Arrays.asList(allowDomain));

        String curOrigin = reqs.getHeader("Origin");

        /*if("null".equalsIgnoreCase(curOrigin)){

            curOrigin = "http://xxxxxx:8888";

        }*/

        if(allowOrigins.contains(curOrigin) || null == curOrigin){

            //设置允许跨域的配置

            // 这里填写你允许进行跨域的主机ip(正式上线时可以动态配置具体允许的域名和IP)

            response.setHeader("Access-Control-Allow-Origin", curOrigin);

            response.setHeader("Access-Control-Allow-Credentials", "true");

            //response.setHeader("Access-Control-Allow-Methods", "POST, GET, PATCH, DELETE, PUT");

            response.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, OPTIONS, PATCH");

            response.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, token");

            chain.doFilter(reqs, response);

        }else{

            throw new IOException(ResultUtils.doFilter().toString());

        }

    }

    @Override

    public void init(FilterConfig filterConfig) {}

    @Override

    public void destroy() {}

}

3、xss相关类

XssFilter
package com.longfor.hrssc.api.config;

import javax.servlet.*;

import javax.servlet.annotation.WebFilter;

import javax.servlet.http.HttpServletRequest;

import java.io.IOException;

/** * XSS过滤器 * @author Jozz */

@WebFilter(filterName="xssFilter",urlPatterns="/*")

public class XssFilter implements Filter {

    @Override

    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override

    public void doFilter(ServletRequest servletRequest,

                                   ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {

        HttpServletRequest request = (HttpServletRequest)servletRequest; String path = request.getServletPath();

        //由于我的@WebFilter注解配置的是urlPatterns="/*"(过滤所有请求),所以这里对不需要过滤的静态资源url,作忽略处理(大家可以依照具体需求配置)

        String[] exclusionsUrls = {".js",".gif",".jpg",".png",".css",".ico"};

        for (String str : exclusionsUrls) {

            if (path.contains(str)) {

                filterChain.doFilter(servletRequest,servletResponse);

                return;

            }

        }

        filterChain.doFilter(new XssHttpServletRequestWrapper(request),servletResponse);

    }

    @Override public void destroy() {

    }

}
XssHttpServletRequestWrapper

package com.longfor.hrssc.api.config;

/**

 * Created by 裴帅楠 on 2019/7/10.

 */

import com.alibaba.fastjson.JSON;

import org.apache.commons.lang3.StringEscapeUtils;

import org.apache.commons.lang3.StringUtils;

//import org.apache.commons.text.StringEscapeUtils;

import javax.servlet.ReadListener;

import javax.servlet.ServletInputStream;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletRequestWrapper;

import java.io.*; import java.nio.charset.Charset;

import java.util.ArrayList;

import java.util.HashMap;

import java.util.List;

import java.util.Map;

import java.util.regex.Matcher;

import java.util.regex.Pattern;

/** * ServletRequest包装类,对request做XSS过滤处理

 * @author Jozz

 *

 * */

public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

    public XssHttpServletRequestWrapper(HttpServletRequest request) {

        super(request);

    }

        @Override

        public String getHeader(String name) {

        return StringEscapeUtils.escapeHtml4(super.getHeader(name));

    }

    @Override

    public String getQueryString() {

        return StringEscapeUtils.escapeHtml4(super.getQueryString());

    }

    @Override public String getParameter(String name) {

        return StringEscapeUtils.escapeHtml4(super.getParameter(name));

    }

    @Override

    public String[] getParameterValues(String name) {

        String[] values = super.getParameterValues(name);

        if(values != null) {

            int length = values.length;

            String[] escapseValues = new String[length];

            for(int i = 0; i < length; i++){

                escapseValues[i] = StringEscapeUtils.escapeHtml4(values[i]);

            }

            return escapseValues;

        }

        return values;

    }

    @Override

    public ServletInputStream getInputStream() throws IOException {

        String str=getRequestBody(super.getInputStream());

        Map<String,Object> map= JSON.parseObject(str,Map.class);

        Map<String,Object> resultMap=new HashMap<>(map.size());

        for(String key:map.keySet()){

            Object val=map.get(key);

            if(null != val){

                stripXss(val.toString());

            }

            if(map.get(key) instanceof String){

                resultMap.put(key,StringEscapeUtils.escapeHtml4(val.toString()));

            }else{

                resultMap.put(key,val);

            }

        }

        str=JSON.toJSONString(resultMap);

        final ByteArrayInputStream bais = new ByteArrayInputStream(str.getBytes());

        return new ServletInputStream() {

            @Override

            public int read() throws IOException {

                return bais.read();

            }

            @Override

            public boolean isFinished() {

                return false;

            }

            @Override

            public boolean isReady() {

                return false;

            }

            @Override

            public void setReadListener(ReadListener listener) {

            }

        };

    }

    private String getRequestBody(InputStream stream) {

        String line = "";

        StringBuilder body = new StringBuilder();

        int counter = 0;

        // 读取POST提交的数据内容

        BufferedReader reader = new BufferedReader(new InputStreamReader(stream, Charset.forName("UTF-8")));

        try {

            while ((line = reader.readLine()) != null) {

                body.append(line); counter++;

            }

        } catch (IOException e) {

            e.printStackTrace();

        } return body.toString();

    }

    private static List<Pattern> patterns = null;

    public static String stripXss(String value) {

        if(StringUtils.isNotBlank(value)) {

            Matcher matcher = null;

            for(Pattern pattern : getPatterns()) {

                matcher = pattern.matcher(value);

                // 匹配

                if(matcher.find()) {

                    // 删除相关字符串

                    value = matcher.replaceAll("");

                }

            }

            value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");

        }

       /* if (LOG.isDebugEnabled()) {

          LOG.debug("strip value: " + value); return value;

        }*/

        return value;

    }

    private static List<Object[]> getXssPatternList() {

        List<Object[]> ret = new ArrayList<Object[]>();

        ret.add(new Object[]{"<(no)?script[^>]*>.*?</(no)?script>", Pattern.CASE_INSENSITIVE});

        ret.add(new Object[]{"eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});

        ret.add(new Object[]{"expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});

        ret.add(new Object[]{"(javascript:|vbscript:|view-source:)*", Pattern.CASE_INSENSITIVE});

        ret.add(new Object[]{"<(\"[^\"]*\"|\'[^\']*\'|[^\'\">])*>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});

        ret.add(new Object[]{"(window\\.location|window\\.|\\.location|document\\.cookie|document\\.|alert\\(.*?\\)|window\\.open\\()*", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});

        ret.add(new Object[]{"<+\\s*\\w*\\s*(oncontrolselect|oncopy|oncut|ondataavailable|ondatasetchanged|ondatasetcomplete|ondblclick|ondeactivate|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onerror=|onerroupdate|onfilterchange|onfinish|onfocus|onfocusin|onfocusout|onhelp|onkeydown|onkeypress|onkeyup|onlayoutcomplete|onload|onlosecapture|onmousedown|onmouseenter|onmouseleave|onmousemove|onmousout|onmouseover|onmouseup|onmousewheel|onmove|onmoveend|onmovestart|onabort|onactivate|onafterprint|onafterupdate|onbefore|onbeforeactivate|onbeforecopy|onbeforecut|onbeforedeactivate|onbeforeeditocus|onbeforepaste|onbeforeprint|onbeforeunload|onbeforeupdate|onblur|onbounce|oncellchange|onchange|onclick|oncontextmenu|onpaste|onpropertychange|onreadystatechange|onreset|onresize|onresizend|onresizestart|onrowenter|onrowexit|onrowsdelete|onrowsinserted|onscroll|onselect|onselectionchange|onselectstart|onstart|onstop|onsubmit|onunload)+\\s*=+", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});

        return ret;

    }

    private static List<Pattern> getPatterns() {

        if (patterns == null) {

            List<Pattern> list = new ArrayList<Pattern>();

            String regex = null;

            Integer flag = null;

            int arrLength = 0;

            for(Object[] arr : getXssPatternList()) {

                arrLength = arr.length; for(int i = 0; i < arrLength; i++) {

                    regex = (String)arr[0]; flag = (Integer)arr[1]; list.add(Pattern.compile(regex, flag));

                }

            }

            patterns = list;

        }

        return patterns;

    }

}

4、yml中配置

#bpm域名过滤

bpm:

  fiter:

    domain: http://xxx.sit,https://xxxxx.net:8089,http://xxxxx.sit:8088,http://xxxxx:8888,https://xxxxx:8443

5、返回

/**

     *  跨域白名单

     * @return

     */

    public static ResultUtils doFilter() {

        return new ResultUtils(Constants.doFilterCode, Constants.doFilterException, null);

    }

6、自定义code

public static final int doFilterCode  = 403;

public static final String doFilterException = "请申请IP白名单";
												


											
springboot自定义CORS&XSS拦截器的更多相关文章
	

    
								
  1. spring boot集成swagger,自定义注解,拦截器,xss过滤,异步调用,guava限流,定时任务案例, 发邮件
		
    本文介绍spring boot集成swagger,自定义注解,拦截器,xss过滤,异步调用,定时任务案例 集成swagger--对于做前后端分离的项目,后端只需要提供接口访问,swagger提供了接口 ...
    
		
    2. 
						
  2. SpringBoot从零单排 ------ 拦截器的使用
		
    在项目开发中我们常常需要对请求进行验证,如登录校验.权限验证.防止重复提交等等,通过拦截器来过滤请求.自定义一个拦截器需要实现HandlerInterceptor接口.代码如下: import org ...
    
		
    3. 
						
  3. springboot(五)过滤器和拦截器
		
    前言 过滤器和拦截器二者都是AOP编程思想的提现,都能实现诸如权限检查.日志记录等.二者有一定的相似之处,不同的地方在于: Filter是servlet规范,只能用在Web程序中,而拦截器是Sprin ...
    
		
    4. 
						
  4. SpringBoot静态资源访问+拦截器+Thymeleaf模板引擎实现简单登陆
		
    在此记录一下这十几天的学习情况,卡在模板引擎这里已经是四天了. 对Springboot的配置有一个比较深刻的认识,在此和大家分享一下初学者入门Spring Boot的注意事项,如果是初学SpringB ...
    
		
    5. 
						
  5. springBoot 2.X-自定义拦截器
		
    package com.cx.springboot.myInter; import javax.servlet.http.HttpServletRequest; import javax.servle ...
    
		
    6. 
						
  6. 玩转SpringBoot之整合Mybatis拦截器对数据库水平分表
		
    利用Mybatis拦截器对数据库水平分表 需求描述 当数据量比较多时,放在一个表中的时候会影响查询效率:或者数据的时效性只是当月有效的时候:这时我们就会涉及到数据库的分表操作了.当然,你也可以使用比较 ...
    
		
    7. 
						
  7. SpringBoot开发案例之拦截器注入Bean
		
    前言 由于业务需要,需要在拦截器中操作Redis缓存,按照 controller,service层配置发现无法注入,一直报空指针异常. 解决方案 @Configuration public class ...
    
		
    8. 
						
  8. 如何在SpringBoot项目中使用拦截器
		
    相比springmvc,springboot中拦截器不需要在xml中配置,只需定义拦截器类 implements HandlerInterceptor 和拦截器拦截路径的配置类extends WebM ...
    
		
    9. 
						
  9. springboot中配置了拦截器后,拦截器无效的解决方案之一
		
    springboot的启动类xxxApplication不能扫描到拦截器配置类,可加上@ComponentScan(basePackages={"com.maya.common"} ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. java判断文件真实类型
			
    代码如下: import java.io.FileInputStream; import java.io.IOException; import java.util.HashMap; /** * &l ...
    
			
    2. 
						
  2. sklearn的基本使用
			
    https://cloud.tencent.com/developer/news/58202 简介 今天为大家介绍的是scikit-learn.sklearn是一个Python第三方提供的非常强力的机 ...
    
			
    3. 
						
  3. docker 国内镜像加速
			
    CentOS7 对于使用 systemd 的系统,请在 /etc/docker/daemon.json 中写入如下内容(如果文件不存在请新建该文件): {"registry-mirrors& ...
    
			
    4. 
						
  4. PostgreSQL的递归查询(with recursive) ,替代oracle 的级联查询connect by
			
    开发有需求,说需要对一张地区表进行递归查询,Postgres中有个 with recursive的查询方式,可以满足递归查询(一般>=2层). 测试如下: create table tb(id  ...
    
			
    5. 
						
  5. nexus 3.x最新版下载安装和上传下载jar
			
    注意: nexus 3.x最新版好像不用下载索引了,目前我使用一些基本功能没有索引也能耍的很6 下载 nexus最新版下载https://www.sonatype.com/download-oss-s ...
    
			
    6. 
						
  6. SecureCRT-登录unix/linux服务器主机的软件
			
    百度百科说辞: SecureCRT是一款支持SSH(SSH1和SSH2)的终端仿真程序,简单地说是Windows下登录UNIX或Linux服务器主机的软件. SecureCRT支持SSH,同时支持Te ...
    
			
    7. 
						
  7. Windows Server 2008 R2怎样设置自动登陆(登录)
			
    方法一: 打开电脑“菜单”,右键点击“运行”,在对话框输入“control userpasswords2”,点击“确定”. 弹出的窗口取消勾选“要使用本机用户必须输入用户名和密码”,取消后点击“确定” ...
    
			
    8. 
						
  8. 负载均衡Nginx和F5的区别
			
    今早上看书,看到为了保证Zuul的高可用性,在Zuul的前端可以使用Nginx或F5再次进行负载转发 使用过Nginx,那F5是什么,他们有什么区别吗? (1)F5 F5负载均衡器是应用交付网络的全球 ...
    
			
    9. 
						
  9. eclipse项目有红色感叹号
			
    1.依赖有问题 找到build path 点击configure build path 点击libraries 找到有红叉的包,然后选中移除 2.引用的包有问题 利用maven引用的包出现问题,有的包 ...
    
			
    10. 
						
  10. perl修改镜像源地址
			
    perl修改源地址 这里推荐中科大的源 http://mirrors.ustc.edu.cn/CPAN/ perl -MCPAN -e shell 1.执行cpan命令确认存在该命令 如果cpan执行 ...
    
			
    11.