The filter configured in Web. XML is as follows:
<filter> <filter-name>HazardousParametersFilter</filter-name> <filter-class> Com.galaxy.apps.common.hazardousparametersfilter</filter-class> <init-param><param-name> Ignoreregex</param-name><param-value>/upload/mobileuploadpic</param-value> </ Init-param></filter><filter-mapping> <filter-name>hazardousparametersfilter</ Filter-name> <url-pattern>/*</url-pattern></filter-mapping>
You can see that the Url-pattern settings filter the URL rule is/*, if you want to exclude/upload/mobileuploadpic from the filter URL.
It can be judged by combining the initialization parameters of Init-param and the HttpServletRequest Getservletpath () method.
<init-param> <param-name>ignoreRegex</param-name> <param-value>/upload/ Mobileuploadpic</param-value> </init-param>
Here are the specific actions in the filter hazardousparametersfilter
Package Com.galaxy.apps.common;import Java.io.ioexception;import Java.util.iterator;import java.util.Map;import Java.util.set;import Javax.servlet.filter;import Javax.servlet.filterchain;import Javax.servlet.FilterConfig; Import Javax.servlet.servletexception;import Javax.servlet.servletrequest;import javax.servlet.ServletResponse; Import Javax.servlet.http.httpservletrequest;import Org.apache.commons.lang3.stringutils;import Org.apache.commons.logging.log;import Org.apache.commons.logging.logfactory;import Com.galaxy.apps.utils.hazardousparameterhelper;import Com.jovtec.galaxy.util.requesthelper;import Com.jovtec.galaxy.util.stringhelper;public class Hazardousparametersfilter implements Filter {private static final Log Logger = Logfactory.getlog ("Securitylogger");p rivate String ignoreregex;private string[] Ignoreregexarray;public String Getignoreregex () {return ignoreregex;} public void Setignoreregex (String ignoreregex) {This.ignoreregex = Ignoreregex;} Public string[] GetignoreregexarraY () {return ignoreregexarray;} public void Setignoreregexarray (string[] ignoreregexarray) {this.ignoreregexarray = Ignoreregexarray;} public void init (Filterconfig filterconfig) throws servletexception {Ignoreregex = Filterconfig.getinitparameter (" Ignoreregex "), if (Stringutils.isnotempty (Ignoreregex)) {Ignoreregexarray = Ignoreregex.split (", ");} return;} public void Destroy () {}public void DoFilter (ServletRequest servletrequest, Servletresponse servletresponse, Filterchain Filterchain) throws IOException, servletexception {httpservletrequest request = (httpservletrequest) ServletRequest; String requesturi = Request.getrequesturi (); Boolean isexcludedpage = False;for (string page:ignoreregexarray) {//determines if the Filter URL outside if (Request.getservletpath (). Equals (page)) {isexcludedpage = True;break;}} If the URI is not reachable, or if the URI is a background address, return directly if (Stringhelper.isempty (requesturi) | | requesturi.startswith ("/portal/") | | Isexcludedpage) {filterchain.dofilter (ServletRequest, servletresponse); return;} TODO HTML, shtml How to optimize performance?Also need to filter, otherwise shtml's include cannot enter this filter//TODO ignore Ignoreregex specified url,/portal/should also go to this inside to ignore Boolean hashazardous = false; Map pm = Servletrequest.getparametermap (), if (pm! = null &&!pm.isempty ()) {//performance optimization Set KeySet = Pm.keyset (); for ( Iterator Iterator = Keyset.iterator (); Iterator.hasnext ();) {String key = (string) iterator.next (); String[] values = (string[]) pm.get (key); if (values) {hashazardous = true; Break;}}} If there is a risk character, escape it, log it, continue executing the program if (hashazardous) {logger.info ("The URL received the risk character parameter:" + request.getrequesturl () + ", Customer IP:" + REQUEST.GETREMOTEADDR () + ", parameter list:" + requesthelper.getparametermaptostring (PM)); Hazardousrequestwrapper hazreqwrapper = new Hazardousrequestwrapper (request); Filterchain.dofilter (HazReqWrapper, Servletresponse);} else {filterchain.dofilter (servletrequest, Servletresponse);}}}
Finish ~
Filter filter removes partial URL links