[英]How to use a servlet filter in Java to change an incoming servlet request url?
[英]How to change servlet request body in java filter?
如何更改 Java 过滤器中的请求正文以防止XSS
攻击? 我构建了HttpServletRequestWrapper
并使用getparameter
来更改主体,但获取流关闭异常。
public class XSSFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
XSSRequestWrapper wrappedRequest = new XSSRequestWrapper(
(HttpServletRequest) request);
String body = IOUtils.toString(wrappedRequest.getReader());
if(!"".equals(body))
{
JSONObject oldJsonObject = new JSONObject(body);
JSONObject newJsonObject = new JSONObject();
for(String key : oldJsonObject.keySet())
{
newJsonObject.put(key, XSSUtils.stripXSS(oldJsonObject.get(key).toString()));
}
wrappedRequest.resetInputStream(newJsonObject.toString().getBytes());
}
chain.doFilter(wrappedRequest, response);
}
}
public class XSSRequestWrapper extends HttpServletRequestWrapper {
private byte[] rawData;
private HttpServletRequest request;
private ResettableServletInputStream servletStream;
public XSSRequestWrapper(HttpServletRequest request) {
super(request);
this.request = request;
this.servletStream = new ResettableServletInputStream();
}
public void resetInputStream(byte[] newRawData) {
servletStream.stream = new ByteArrayInputStream(newRawData);
}
@Override
public ServletInputStream getInputStream() throws IOException {
if (rawData == null) {
rawData = IOUtils.toByteArray(this.request.getReader());
servletStream.stream = new ByteArrayInputStream(rawData);
}
return servletStream;
}
@Override
public BufferedReader getReader() throws IOException {
if (rawData == null) {
rawData = IOUtils.toByteArray(this.request.getReader());
servletStream.stream = new ByteArrayInputStream(rawData);
}
return new BufferedReader(new InputStreamReader(servletStream));
}
private class ResettableServletInputStream extends ServletInputStream {
private InputStream stream;
@Override
public int read() throws IOException {
return stream.read();
}
}
}
public class XSSUtils {
private XSSUtils()
{
}
public static String stripXSS(String value) {
return value == null ? value : escapeHtml4(value);
}
}
由于我没有足够的声誉来添加评论,因此我将其添加为答案。 3 年后,我找到了可以节省时间的公认答案。 同时,我不得不修复几件事情,因此添加...
(1) 一个错误(缺少对 rawData 的赋值)
public void resetInputStream(byte[] newRawData) {
rawData = newRawData;
servletStream.stream = new ByteArrayInputStream(newRawData);
}
(2) 随着时间的推移需要改变。 参考: HttpServletRequestWrapper,setReadListener / isFinished / isReady 的示例实现?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.