java struct2拦截器_Java struts2 拦截器 interceptors
拦截器类如下所示:
import java.io.PrintWriter;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.apache.struts2.ServletActionContext;
import com.edp.org.user.vo.User;
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.ActionSupport;
import com.opensymphony.xwork2.interceptor.AbstractInterceptor;
/**
* 特殊字符拦截器
*
* @author zhangda
*
*/
public class SpecialCharInterceptor extends AbstractInterceptor {
Logger logger = Logger.getLogger(this.getClass());
/**
* 拦截方法
*
*/
public String intercept(ActionInvocation invocation) throws Exception {
// 取得ActionContext实例
ActionContext ctx = invocation.getInvocationContext();
//先验证是否传入非法字符,以防sql注入 --张达 20151216
String msg = validateDataBaseSpecialChar(ctx);
if(!msg.equals("")){
logger.error("参数传入非法字符!");
HttpServletResponse response = ServletActionContext.getResponse();
response.setHeader("Content-type", "text/html;charset=UTF-8");
response.setCharacterEncoding("utf-8");
PrintWriter out = response.getWriter();
out.print("{\"success\": false, \"errMsg\": \"参数传入非法字符\"}");
out.flush();
out.close();
return ActionSupport.ERROR;
}else{
return invocation.invoke();
}
}
/***
* 过滤sql注入的特殊字符 zd
* @param ac
* @return
*/
public String validateDataBaseSpecialChar(ActionContext ac) {
Map inputMap = ac.getParameters();
//查询字典请求需要传入特殊字符
if(ac.getContext().getName().equals("getDictionaryByTypeIds")){
return "";
}else{
Iterator> it = inputMap.entrySet().iterator();
while (it.hasNext()) {
Map.Entry entry = it.next();
Object value = entry.getValue();
if (value instanceof String[]) {
String[] valueArray = (String[])value;
String valueStr = "";
if(valueArray != null && valueArray.length != 0){
for(int i=0; i
valueStr += valueArray[0] + ",";
}
}
return checkInject(valueStr);
}
}
}
return "";
}
//防sql注入的字符串数组
private static final String[] INJ_STR = {
"exec ", "select ", "insert ", "update " , "delete", "count ", "master ", "drop ",
"truncate ", "declare ", " or ", " and ", "--", "'", "\"", "\'", "\\\"", "(", ")", ";", "--", "+"
};
private static String checkInject(String str) {
for (int i=0; i
if (str.toLowerCase().indexOf(INJ_STR[i]) > -1) {
return "error";
}
}
return "";
}
}
struts配置文件如下: