过滤器
简介
Filter被称为过滤器,过滤器实际上就是对Web资源进行拦截,做一些处理后再交给下一个过滤器或Servlet.处理,通常都是用来拦截reg转est进行处理的,也可以对返回的 response进行拦截处理。开发人员利用filter技术,可以实现对所有Web资源的管理,例如实现权限访问控制、过滤敏感词汇、压缩响应信息等一些高级功能。
过滤器也是可以实现内存马的
web 请求逻辑
创建过滤器的流程
便于项目结构的拆分,将servlet 和filter 分开
在filter 目录中添加XssFilter 类
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40package com.example.xssfilter.filter;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import java.io.IOException;
import java.io.PrintWriter;
@WebFilter(filterName = "XssFilter",value = "/helloName")
public class XssFilter implements Filter {
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
System.out.println("XssFilter doFilter");
String param = servletRequest.getParameter("name");
PrintWriter out=servletResponse.getWriter();
if(param!=null){
param = param.replace("<","<");
param = param.replace(">",">");
servletRequest.setAttribute("name",param);
}
// 检查是否存在script
if(param!=null && param.contains("script")){
out.write("this is xss");
return;
}
filterChain.doFilter(servletRequest,servletResponse);
}
@Override
public void destroy() {
System.out.println("XssFilter destroy");
Filter.super.destroy();
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
System.out.println("XssFilter init");
Filter.super.init(filterConfig);
}
}绑定到具体的路由上
Servlet:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
@WebServlet(name = "helloServlet", value = "/hello-servlet")
public class HelloServlet extends HttpServlet {
private String message;
public void init() {
message = "Hello World!";
}
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
response.setContentType("text/html");
// Hello
PrintWriter out = response.getWriter();
out.println("<html><body>");
out.println("<h1>" + message + "</h1>");
out.println("</body></html>");
}
public void destroy() {
}
}Filter:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40package com.example.xssfilter.filter;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import java.io.IOException;
import java.io.PrintWriter;
@WebFilter(filterName = "XssFilter",value = "/helloName")
public class XssFilter implements Filter {
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
System.out.println("XssFilter doFilter");
String param = servletRequest.getParameter("name");
PrintWriter out=servletResponse.getWriter();
if(param!=null){
param = param.replace("<","<");
param = param.replace(">",">");
servletRequest.setAttribute("name",param);
}
// 检查是否存在script
if(param!=null && param.contains("script")){
out.write("this is xss");
return;
}
filterChain.doFilter(servletRequest,servletResponse);
}
@Override
public void destroy() {
System.out.println("XssFilter destroy");
Filter.super.destroy();
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
System.out.println("XssFilter init");
Filter.super.init(filterConfig);
}
}注意如果是 value=”/*” 代表,这个是所有路径都要使用的
尝试访问
输入script 的时候会输出xss
正常的请求
过滤器
https://tsy244.github.io/2025/05/02/javaee/过滤器/