springboot 项目前后端接口,防止xss攻击以及跨域问题解决

1、启动类添加注解

@ServletComponentScan

2、cors的拦截类

package com.longfor.hrssc.api.config;

import com.longfor.hrssc.common.util.ResultUtils;

import org.springframework.beans.factory.annotation.Value;

import org.springframework.context.annotation.PropertySource;

import org.springframework.stereotype.Component;

import javax.servlet.*;

import javax.servlet.annotation.WebFilter;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import java.io.IOException;

import java.util.Arrays;

import java.util.HashSet;

import java.util.Set;

@Component

@PropertySource("classpath:application-dev.yml")

@WebFilter(urlPatterns = "/*", filterName = "CorsFilter")

public class CorsFilter implements Filter {

    @Value("${bpm.fiter.domain}")

    private String allowDomains;

    @Override

    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

        HttpServletResponse response = (HttpServletResponse) res;

        HttpServletRequest reqs = (HttpServletRequest) req;

        // 设置允许多个域名请求

        //String[] allowDomains = {"http://www.xxxx.xin","http://xxxx:8080","http://localhost:8080"};

        String[] allowDomain = allowDomains.split(",");

        Set allowOrigins = new HashSet(Arrays.asList(allowDomain));

        String curOrigin = reqs.getHeader("Origin");

        /*if("null".equalsIgnoreCase(curOrigin)){

            curOrigin = "http://xxxxxx:8888";

        }*/

        if(allowOrigins.contains(curOrigin) || null == curOrigin){

            //设置允许跨域的配置

            // 这里填写你允许进行跨域的主机ip(正式上线时可以动态配置具体允许的域名和IP)

            response.setHeader("Access-Control-Allow-Origin", curOrigin);

            response.setHeader("Access-Control-Allow-Credentials", "true");

            //response.setHeader("Access-Control-Allow-Methods", "POST, GET, PATCH, DELETE, PUT");

            response.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, OPTIONS, PATCH");

            response.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, token");

            chain.doFilter(reqs, response);

        }else{

            throw new IOException(ResultUtils.doFilter().toString());

        }

    }

    @Override

    public void init(FilterConfig filterConfig) {}

    @Override

    public void destroy() {}

}

3、xss相关类

XssFilter
package com.longfor.hrssc.api.config;

import javax.servlet.*;

import javax.servlet.annotation.WebFilter;

import javax.servlet.http.HttpServletRequest;

import java.io.IOException;

/** * XSS过滤器 * @author Jozz */

@WebFilter(filterName="xssFilter",urlPatterns="/*")

public class XssFilter implements Filter {

    @Override

    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override

    public void doFilter(ServletRequest servletRequest,

                                   ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {

        HttpServletRequest request = (HttpServletRequest)servletRequest; String path = request.getServletPath();

        //由于我的@WebFilter注解配置的是urlPatterns="/*"(过滤所有请求),所以这里对不需要过滤的静态资源url,作忽略处理(大家可以依照具体需求配置)

        String[] exclusionsUrls = {".js",".gif",".jpg",".png",".css",".ico"};

        for (String str : exclusionsUrls) {

            if (path.contains(str)) {

                filterChain.doFilter(servletRequest,servletResponse);

                return;

            }

        }

        filterChain.doFilter(new XssHttpServletRequestWrapper(request),servletResponse);

    }

    @Override public void destroy() {

    }

}
XssHttpServletRequestWrapper

package com.longfor.hrssc.api.config;

/**

 * Created by 裴帅楠 on 2019/7/10.

 */

import com.alibaba.fastjson.JSON;

import org.apache.commons.lang3.StringEscapeUtils;

import org.apache.commons.lang3.StringUtils;

//import org.apache.commons.text.StringEscapeUtils;

import javax.servlet.ReadListener;

import javax.servlet.ServletInputStream;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletRequestWrapper;

import java.io.*; import java.nio.charset.Charset;

import java.util.ArrayList;

import java.util.HashMap;

import java.util.List;

import java.util.Map;

import java.util.regex.Matcher;

import java.util.regex.Pattern;

/** * ServletRequest包装类,对request做XSS过滤处理

 * @author Jozz

 *

 * */

public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

    public XssHttpServletRequestWrapper(HttpServletRequest request) {

        super(request);

    }

        @Override

        public String getHeader(String name) {

        return StringEscapeUtils.escapeHtml4(super.getHeader(name));

    }

    @Override

    public String getQueryString() {

        return StringEscapeUtils.escapeHtml4(super.getQueryString());

    }

    @Override public String getParameter(String name) {

        return StringEscapeUtils.escapeHtml4(super.getParameter(name));

    }

    @Override

    public String[] getParameterValues(String name) {

        String[] values = super.getParameterValues(name);

        if(values != null) {

            int length = values.length;

            String[] escapseValues = new String[length];

            for(int i = 0; i < length; i++){

                escapseValues[i] = StringEscapeUtils.escapeHtml4(values[i]);

            }

            return escapseValues;

        }

        return values;

    }

    @Override

    public ServletInputStream getInputStream() throws IOException {

        String str=getRequestBody(super.getInputStream());

        Map<String,Object> map= JSON.parseObject(str,Map.class);

        Map<String,Object> resultMap=new HashMap<>(map.size());

        for(String key:map.keySet()){

            Object val=map.get(key);

            if(null != val){

                stripXss(val.toString());

            }

            if(map.get(key) instanceof String){

                resultMap.put(key,StringEscapeUtils.escapeHtml4(val.toString()));

            }else{

                resultMap.put(key,val);

            }

        }

        str=JSON.toJSONString(resultMap);

        final ByteArrayInputStream bais = new ByteArrayInputStream(str.getBytes());

        return new ServletInputStream() {

            @Override

            public int read() throws IOException {

                return bais.read();

            }

            @Override

            public boolean isFinished() {

                return false;

            }

            @Override

            public boolean isReady() {

                return false;

            }

            @Override

            public void setReadListener(ReadListener listener) {

            }

        };

    }

    private String getRequestBody(InputStream stream) {

        String line = "";

        StringBuilder body = new StringBuilder();

        int counter = 0;

        // 读取POST提交的数据内容

        BufferedReader reader = new BufferedReader(new InputStreamReader(stream, Charset.forName("UTF-8")));

        try {

            while ((line = reader.readLine()) != null) {

                body.append(line); counter++;

            }

        } catch (IOException e) {

            e.printStackTrace();

        } return body.toString();

    }

    private static List<Pattern> patterns = null;

    public static String stripXss(String value) {

        if(StringUtils.isNotBlank(value)) {

            Matcher matcher = null;

            for(Pattern pattern : getPatterns()) {

                matcher = pattern.matcher(value);

                // 匹配

                if(matcher.find()) {

                    // 删除相关字符串

                    value = matcher.replaceAll("");

                }

            }

            value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");

        }

       /* if (LOG.isDebugEnabled()) {

          LOG.debug("strip value: " + value); return value;

        }*/

        return value;

    }

    private static List<Object[]> getXssPatternList() {

        List<Object[]> ret = new ArrayList<Object[]>();

        ret.add(new Object[]{"<(no)?script[^>]*>.*?</(no)?script>", Pattern.CASE_INSENSITIVE});

        ret.add(new Object[]{"eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});

        ret.add(new Object[]{"expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});

        ret.add(new Object[]{"(javascript:|vbscript:|view-source:)*", Pattern.CASE_INSENSITIVE});

        ret.add(new Object[]{"<(\"[^\"]*\"|\'[^\']*\'|[^\'\">])*>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});

        ret.add(new Object[]{"(window\\.location|window\\.|\\.location|document\\.cookie|document\\.|alert\\(.*?\\)|window\\.open\\()*", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});

        ret.add(new Object[]{"<+\\s*\\w*\\s*(oncontrolselect|oncopy|oncut|ondataavailable|ondatasetchanged|ondatasetcomplete|ondblclick|ondeactivate|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onerror=|onerroupdate|onfilterchange|onfinish|onfocus|onfocusin|onfocusout|onhelp|onkeydown|onkeypress|onkeyup|onlayoutcomplete|onload|onlosecapture|onmousedown|onmouseenter|onmouseleave|onmousemove|onmousout|onmouseover|onmouseup|onmousewheel|onmove|onmoveend|onmovestart|onabort|onactivate|onafterprint|onafterupdate|onbefore|onbeforeactivate|onbeforecopy|onbeforecut|onbeforedeactivate|onbeforeeditocus|onbeforepaste|onbeforeprint|onbeforeunload|onbeforeupdate|onblur|onbounce|oncellchange|onchange|onclick|oncontextmenu|onpaste|onpropertychange|onreadystatechange|onreset|onresize|onresizend|onresizestart|onrowenter|onrowexit|onrowsdelete|onrowsinserted|onscroll|onselect|onselectionchange|onselectstart|onstart|onstop|onsubmit|onunload)+\\s*=+", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});

        return ret;

    }

    private static List<Pattern> getPatterns() {

        if (patterns == null) {

            List<Pattern> list = new ArrayList<Pattern>();

            String regex = null;

            Integer flag = null;

            int arrLength = 0;

            for(Object[] arr : getXssPatternList()) {

                arrLength = arr.length; for(int i = 0; i < arrLength; i++) {

                    regex = (String)arr[0]; flag = (Integer)arr[1]; list.add(Pattern.compile(regex, flag));

                }

            }

            patterns = list;

        }

        return patterns;

    }

}

4、yml中配置

#bpm域名过滤

bpm:

  fiter:

    domain: http://xxx.sit,https://xxxxx.net:8089,http://xxxxx.sit:8088,http://xxxxx:8888,https://xxxxx:8443

5、返回

/**

     *  跨域白名单

     * @return

     */

    public static ResultUtils doFilter() {

        return new ResultUtils(Constants.doFilterCode, Constants.doFilterException, null);

    }

6、自定义code

public static final int doFilterCode  = 403;

public static final String doFilterException = "请申请IP白名单";
												


											
springboot自定义CORS&XSS拦截器的更多相关文章
	

    
								
  1. spring boot集成swagger,自定义注解,拦截器,xss过滤,异步调用,guava限流,定时任务案例, 发邮件
		
    本文介绍spring boot集成swagger,自定义注解,拦截器,xss过滤,异步调用,定时任务案例 集成swagger--对于做前后端分离的项目,后端只需要提供接口访问,swagger提供了接口 ...
    
		
    2. 
						
  2. SpringBoot从零单排 ------ 拦截器的使用
		
    在项目开发中我们常常需要对请求进行验证,如登录校验.权限验证.防止重复提交等等,通过拦截器来过滤请求.自定义一个拦截器需要实现HandlerInterceptor接口.代码如下: import org ...
    
		
    3. 
						
  3. springboot(五)过滤器和拦截器
		
    前言 过滤器和拦截器二者都是AOP编程思想的提现,都能实现诸如权限检查.日志记录等.二者有一定的相似之处,不同的地方在于: Filter是servlet规范,只能用在Web程序中,而拦截器是Sprin ...
    
		
    4. 
						
  4. SpringBoot静态资源访问+拦截器+Thymeleaf模板引擎实现简单登陆
		
    在此记录一下这十几天的学习情况,卡在模板引擎这里已经是四天了. 对Springboot的配置有一个比较深刻的认识,在此和大家分享一下初学者入门Spring Boot的注意事项,如果是初学SpringB ...
    
		
    5. 
						
  5. springBoot 2.X-自定义拦截器
		
    package com.cx.springboot.myInter; import javax.servlet.http.HttpServletRequest; import javax.servle ...
    
		
    6. 
						
  6. 玩转SpringBoot之整合Mybatis拦截器对数据库水平分表
		
    利用Mybatis拦截器对数据库水平分表 需求描述 当数据量比较多时,放在一个表中的时候会影响查询效率:或者数据的时效性只是当月有效的时候:这时我们就会涉及到数据库的分表操作了.当然,你也可以使用比较 ...
    
		
    7. 
						
  7. SpringBoot开发案例之拦截器注入Bean
		
    前言 由于业务需要,需要在拦截器中操作Redis缓存,按照 controller,service层配置发现无法注入,一直报空指针异常. 解决方案 @Configuration public class ...
    
		
    8. 
						
  8. 如何在SpringBoot项目中使用拦截器
		
    相比springmvc,springboot中拦截器不需要在xml中配置,只需定义拦截器类 implements HandlerInterceptor 和拦截器拦截路径的配置类extends WebM ...
    
		
    9. 
						
  9. springboot中配置了拦截器后,拦截器无效的解决方案之一
		
    springboot的启动类xxxApplication不能扫描到拦截器配置类,可加上@ComponentScan(basePackages={"com.maya.common"} ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. 如何将业务代码写得像诗一样(使用注解+单例+工厂去掉一大波if和else判断)
			
    1.订单控制器,提供一个根据商品id和银行渠道id计算商品折后价格的接口: import org.springframework.web.bind.annotation.GetMapping; imp ...
    
			
    2. 
						
  2. Redis 启动 Please see the documentation included with the binary distributions for more details on the --maxheap flag.
			
    启动redis的时候,出现 主要就是说 没有足够的可用的空间,可以使用maxheap减少redis堆的大小.或者重启系统对系统分页文件进行碎片整理. 解决方法就是在启动的时候加个  --maxheap ...
    
			
    3. 
						
  3. Spring-boot2X基于sharding-jdbc3.x分表分库
			
    ShardingSphere是一套开源的分布式数据库中间件解决方案组成的生态圈,它由Sharding-JDBC.Sharding-Proxy和Sharding-Sidecar(计划中)这3款相互独立的 ...
    
			
    4. 
						
  4. Winograd Convolution 推导 - 从1D到2D
			
    Winograd Convolution 推导 - 从1D到2D 姚伟峰 http://www.cnblogs.com/Matrix_Yao/ Winograd Convolution 推导 - 从1 ...
    
			
    5. 
						
  5. HTML、css、javascript、DOM编程
			
    HTML.css.javascript.DOM编程 一.Html 1.1html概述 Html就是超文本标记语言的简写,是最基础的网页语言,其代码都是由标签所组成,是通过标签来定义的语言,代码不需要区 ...
    
			
    6. 
						
  6. MySQL Community Server 8.0.16
			
    1 首先 我们需要先下载一个 Mysql 点击这个网址进入 Mysql 的官网的下载地址: https://dev.mysql.com/downloads/mysql/ 首先 根据你的电脑的操作系统选 ...
    
			
    7. 
						
  7. 2017ACM/ICPC广西邀请赛   Color it
			
    Color it Time Limit: 20000/10000 MS (Java/Others)    Memory Limit: 132768/132768 K (Java/Others)Tota ...
    
			
    8. 
						
  8. html5 canvas手写字代码(兼容手机端)
			
    html5 canvas手写字代码(兼容手机端) <pre><!DOCTYPE html><html><head> <title>画板实验& ...
    
			
    9. 
						
  9. SQL2014做数据库主从镜像备份(也可以用于高可用)备忘(非域控)。
			
    部份内容参考原始文章链接:https://www.cnblogs.com/stragon/p/5643754.html ,同时比较有参考价值的文章:https://blog.csdn.net/sqls ...
    
			
    10. 
						
  10. Resharper速度慢解决办法
			
    Reshaper很好用,但是安装后速度特别慢,大部分情况下,我们只需要使用一些插件功能,代码自动分析功能可以关闭,如图:取消Code analysis即可.
    
			
    11.