pom
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.example</groupId>
<artifactId>huo</artifactId>
<version>1.0-SNAPSHOT</version>
<!-- Spring Boot 启动父依赖 -->
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.6.RELEASE</version> <!-- 1.5.1-->
</parent>
<dependencies>
<!-- Spring Boot Web 依赖 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.56</version>
</dependency>
<dependency>
<groupId>com.baomidou</groupId>
<artifactId>mybatis-plus-extension</artifactId>
<version>3.4.3.1</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-test</artifactId>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
</dependency>
<dependency>
<groupId>com.baomidou</groupId>
<artifactId>mybatis-plus-boot-starter</artifactId>
<version>3.1.0</version>
</dependency>
<!--S Lombok插件依赖-->
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.18.10</version>
<scope>provided</scope>
</dependency>
<!--RabbitMQ 依赖-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-amqp</artifactId>
</dependency>
<!--swagger2依赖-->
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger2</artifactId>
<version>2.9.2</version>
</dependency>
<!--swagger2-ui依赖-->
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger-ui</artifactId>
<version>2.9.2</version>
</dependency>
<!--E Lombok插件依赖-->
<!-- MySQL 连接驱动依赖 -->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.30</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
</dependency>
</dependencies>
</project>
跨域
package com.rj.bd.Config;
import com.alibaba.fastjson.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.PrintWriter;
@WebFilter("/*")
@Component
public class CrosXssFilter implements Filter {
private static Logger logger = LoggerFactory.getLogger(CrosXssFilter.class);
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
request.setCharacterEncoding("utf-8");
response.setContentType("text/html;charset=utf-8");
//跨域设置
if(response instanceof HttpServletResponse){
HttpServletResponse httpResponse = (HttpServletResponse) response;
//通过在响应header中设置‘*’来允许来自所有域的跨域请求
httpResponse.setHeader("Access-Control-Allow-Origin","*");
//设置请求方式
httpResponse.setHeader("Access-Control-Allow-Methods","*");
httpResponse.setHeader("Access-Control-Max-Age", "86400");
httpResponse.setHeader("Access-Control-Allow-Headers", "*");
}
//sql、xss过滤
HttpServletRequest httpRequest = (HttpServletRequest) request;
logger.info("CrosXssFilter----->orignal url:{},ParameterMap:{}",httpRequest.getRequestURI(), JSONObject.toJSONString(httpRequest.getParameterMap()));
XssHttpServletRequestWrapper xssHttpServletRequestWrapper = new XssHttpServletRequestWrapper(httpRequest);
String param = getBodyString(xssHttpServletRequestWrapper.getReader());
if(xssHttpServletRequestWrapper.checkSqlKeyWords(param)){
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json;charset=UTF-8");
PrintWriter out = response.getWriter();
out.write("参数中不允许存在sql关键字");
return;
}
chain.doFilter(xssHttpServletRequestWrapper,response);
logger.info("CrosXssFilter..........doFilter url:{},ParameterMap:{}",xssHttpServletRequestWrapper.getRequestURI(), JSONObject.toJSONString(xssHttpServletRequestWrapper.getParameterMap()));
}
@Override
public void init(FilterConfig config) throws ServletException {
}
@Override
public void destroy() {
}
public static String getBodyString(BufferedReader br) {
String inputLine;
String str = "";
try {
while ((inputLine = br.readLine()) != null) {
str += inputLine;
}
br.close();
} catch (IOException e) {
logger.error("过滤参数异常:{}",e.getMessage());
}
return str;
}
}
防止sql注入和xss过滤
package com.rj.bd.Config;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.StreamUtils;
import org.springframework.util.StringUtils;
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.*;
/**
* @Description 防止sql注入,xss攻击
* @Date 2020/5/20 9:48
*/
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private static Logger logger = LoggerFactory.getLogger(XssHttpServletRequestWrapper.class);
private static String key = "and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|;|or|-|+";
private static String strUpper = key.toUpperCase();
private static Set<String> notAllowedKeyWords = new HashSet<String>(0);
private static String replacedString = "INVALID";
private final byte[] body; //用于保存读取body中数据
private String currentUrl;
static {
String keyStr[] = key.split("\\|");
String keyStr1[] = strUpper.split("\\|");
for (String str : keyStr) {
notAllowedKeyWords.add(str);
}
for(String strUpper : keyStr1){
notAllowedKeyWords.add(strUpper);
}
}
public XssHttpServletRequestWrapper(HttpServletRequest request) throws IOException {
super(request);
currentUrl = request.getRequestURI();
body = StreamUtils.copyToByteArray(request.getInputStream());
}
/**
* @Description 覆盖getParameter方法,将参数和参数值做xss过滤
* @Date 2020/5/20 9:57
*/
@Override
public String getParameter(String name) {
String value = super.getParameter(name);
if(StringUtils.isEmpty(value)){
return null;
}
return cleanXss(value);
}
@Override
public Map<String, String[]> getParameterMap() {
Map<String,String[]> values = super.getParameterMap();
if(null == values){
return null;
}
Map<String,String[]> result = new HashMap<>();
for (String key : values.keySet()) {
String encodedKey = cleanXss(key);
int count = values.get(key).length;
String[] encodedValues = new String[count];
for(int i = 0;i < count;i++){
encodedValues[i] = cleanXss(values.get(key)[i]);
}
result.put(encodedKey,encodedValues);
}
return result;
}
@Override
public String getHeader(String name) {
String value = super.getHeader(name);
if(StringUtils.isEmpty(value)){
return null;
}
return cleanXss(value);
}
@Override
public String[] getParameterValues(String name) {
String[] values = super.getParameterValues(name);
if(StringUtils.isEmpty(values)){
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0;i < count;i++) {
encodedValues[i] = cleanXss(values[i]);
}
return encodedValues;
}
@Override
public ServletInputStream getInputStream() throws IOException {
final ByteArrayInputStream bais = new ByteArrayInputStream(body);
return new ServletInputStream() {
@Override
public int read() throws IOException {
return bais.read();
}
@Override
public boolean isFinished() {
return false;
}
@Override
public boolean isReady() {
return false;
}
@Override
public void setReadListener(ReadListener arg0) {
}
};
}
@Override
public BufferedReader getReader() throws IOException {
return new BufferedReader(new InputStreamReader(getInputStream()));
}
/**
* @Description 解析参数
* @Date 2020/5/20 10:01
*/
private String cleanXss(String valueP){
String value = valueP.replaceAll("<","<").replaceAll(">",">");
value = value.replaceAll("<","& lt;").replaceAll(">","& gt;");
value = value.replaceAll("\\(","& #40;").replaceAll("\\)","& #41;");
value = value.replaceAll("'","& #39;");
value = value.replaceAll("eval\\((.*)\\)","");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']","\"\"");
value = value.replaceAll("script","");
value = cleanSqlKeyWords(value);
return value;
}
/**
* @Description 解析参数SQL关键字
* @Date 2020/5/20 10:01
*/
private String cleanSqlKeyWords(String value){
String paramValue = value;
for (String keyWord : notAllowedKeyWords) {
if(paramValue.length() > keyWord.length() + 4
&& (paramValue.contains(" " + keyWord)
|| paramValue.contains(keyWord + " ")
|| paramValue.contains(" " + keyWord + " "))){
paramValue = StringUtils.replace(paramValue,keyWord,replacedString);
logger.error( this.currentUrl + "已被过滤,因为参数中包含不允许sql的关键词(" + keyWord + ");参数:" + value + ";过滤后的参数:" + paramValue);
}
}
return paramValue;
}
public boolean checkSqlKeyWords(String value){
String paramValue = value;
paramValue = paramValue.toLowerCase(Locale.ROOT);
for (String keyword : notAllowedKeyWords) {
if (paramValue.length() > keyword.length() + 4
&& (paramValue.contains(" "+keyword)||paramValue.contains(keyword+" ")||paramValue.contains(" "+keyword+" "))) {
logger.error(this.getRequestURI()+ "参数中包含不允许sql的关键词(" + keyword
+ ")");
return true;
}
}
return false;
}
}
整合Swagger
package com.rj.bd.Config;
import io.swagger.annotations.ApiOperation;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import springfox.documentation.builders.ApiInfoBuilder;
import springfox.documentation.builders.PathSelectors;
import springfox.documentation.builders.RequestHandlerSelectors;
import springfox.documentation.service.ApiInfo;
import springfox.documentation.spi.DocumentationType;
import springfox.documentation.spring.web.plugins.Docket;
import springfox.documentation.swagger2.annotations.EnableSwagger2;
/**
* @author LXY
* @desc swagger2配置文件
* @time 2022-08-13 13:40
*/
@Configuration//配置类
@EnableSwagger2 //swagger注解
public class Swagger2Config {
@Bean
public Docket getdocker(){
//指明SWAGGER_2的版本使用spring容器进行管理
Docket docket=new Docket(DocumentationType.SWAGGER_2)
.apiInfo(getApoInfo())
.select()
.apis(RequestHandlerSelectors.withMethodAnnotation(ApiOperation.class))
.apis(RequestHandlerSelectors.basePackage("com.rj.bd.Web")) //配置扫描路径
.paths(
//可以再里面写多个
PathSelectors.any()
)
.build();
return docket;
}
public ApiInfo getApoInfo(){
return new ApiInfoBuilder()
.title("测试项目")
.version("1.0")
.description("测试项目接口文档")
.build();
}
}
Springboot自定义统一返回数据和自定义异常处理 异常处理
传送门
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
