import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
* 类名称:ScanInteceptor
* 类描述: 解决扫描漏洞的拦截器
* @author:
*/
public class ScanInteceptor extends HandlerInterceptorAdapter {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object object) throws Exception {
String requestPath = request.getRequestURI();
System.out.println("拦截器 ========requestPath========"+requestPath);
if (isSpecialChar(requestPath.toLowerCase())) {
response.setContentType("text/html;charset=utf-8");
response.getWriter().println("参数含有非法字符, 已禁止继续访问!");
return false;
}
if (ToolUtil.isNotEmpty(request.getQueryString())) {
if (judgeSQLInjectUrl(request.getQueryString().toLowerCase())) {
response.setContentType("text/html;charset=utf-8");
response.getWriter().println("参数含有非法字符, 已禁止继续访问!");
return false;
}
}
return true;
}
/**
* 方法名: judgeSQLInjectUrl
* 方法描述: 判断参数是否含有攻击字符串
* 修改日期: 2019/9/18 15:57
* @param toLowerCase
* @return boolean
* @author
* @throws
*/
private boolean judgeSQLInjectUrl(String value) {
if (value == null || "".equals(value)) {
return false;
}
String xssStr ="and |or |select |insert |update |delete |drop |truncate |alert|eval";
String[] xssArr = xssStr.split("\\|");
//遍历是否有攻击字符串
for (int i = 0; i -1) {
return true;
}
}
return false;
}
@Override
public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception {
}
@Override
public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception {
}
/**
* 方法名: isSpecialChar
* 方法描述: 判断是否有特殊字符
* 修改日期: 2019/9/18 9:25
* @param str
* @return boolean
* @author
* @throws
*/
private boolean isSpecialChar(String str) {
String regEx = "[`()|{}''\\[\\]()]";
Pattern p = Pattern.compile(regEx);
Matcher m = p.matcher(str);
return m.find();
}
}
注册拦截器
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
/**
* 类名称:InterceptorConfig
* 类描述:TODO
*
* @author:
* 创建时间:2019/9/18 16:19
* Version 1.0
*/
@Configuration
public class InterceptorConfig implements WebMvcConfigurer {
/**
* 注册自定义拦截器
*/
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(new ScanInteceptor()).addPathPatterns("/**");
}
}
