Spring 防御CSRF、XSS和SQL注入攻击

对每个post请求的参数过滤一些关键字，替换成安全的，例如：< > ' " \ /  # &

方法是实现一个自定义的HttpServletRequestWrapper，然后在Filter里面调用它，替换掉getParameter函数即可。

首先添加一个XssHttpServletRequestWrapper:

package com.ibm.web.beans;

import java.util.Enumeration;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {  
    public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {
        super(servletRequest);
    }
    public String[] getParameterValues(String parameter) {
      String[] values = super.getParameterValues(parameter);
      if (values==null)  {
                  return null;
          }
      int count = values.length;
      String[] encodedValues = new String[count];
      for (int i = 0; i < count; i++) {
                 encodedValues[i] = cleanXSS(values[i]);
       }
      return encodedValues;
    }
    public String getParameter(String parameter) {
          String value = super.getParameter(parameter);
          if (value == null) {
                 return null;
                  }
          return cleanXSS(value);
    }
    public String getHeader(String name) {
        String value = super.getHeader(name);
        if (value == null)
            return null;
        return cleanXSS(value);
    }
    private String cleanXSS(String value) {
         //这里特意 加多个空格.... 方便 csdn显示 ,如 <  ==>  & lt;
        value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
      value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
      value = value.replaceAll("'", "& #39;");
     value = value.replaceAll("eval\\((.*)\\)", "");
     value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
     value = value.replaceAll("script", "");
        return value;
    }

}

然后添加一个过滤器XssFilter ：

package com.ibm.web.beans;

import java.io.IOException;  

import javax.servlet.Filter;  
import javax.servlet.FilterChain;  
import javax.servlet.FilterConfig;  
import javax.servlet.ServletException;  
import javax.servlet.ServletRequest;  
import javax.servlet.ServletResponse;  
import javax.servlet.http.HttpServletRequest;  
import javax.servlet.http.HttpServletResponse;

public class XssFilter implements Filter {
    FilterConfig filterConfig = null;

    public void init(FilterConfig filterConfig) throws ServletException {
        this.filterConfig = filterConfig;
    }

    public void destroy() {
        this.filterConfig = null;
    }

    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {
        chain.doFilter(new XssHttpServletRequestWrapper(
                (HttpServletRequest) request), response);
    }
}

最后在web.xml里面配置一下，所有的请求的getParameter会被替换，如果参数里面 含有敏感词会被替换掉：

  
     XssSqlFilter
     com.ibm.web.beans.XssFilter
  
  
     XssSqlFilter
     /*
     REQUEST