web.xml之过滤器详解
一、过滤器介绍(是个什么东西)
filter功能.它使用户可以改变一个request和修改一个 response. Filter 不是一个servlet,它不能产生一个response,它能够在一个request到达servlet之前预处理request,也可以在离开 servlet时处理response.换种说法,filter其实是一个”servlet chaining”(servlet 链).一个filter 包括:
1. 在servlet被调用之前截获;
2. 在servlet被调用之前检查servlet request;
3. 根据需要修改request头和request数据;
4. 根据需要修改response头和response数据;
5. 在servlet被调用之后截获.
二、执行步骤
①项目启动实例化
②调用init方法初始化(为执行过滤做准备)
③调用dofilter执行过滤方法(用户在前后端交互操作时)
④调用destory方法销毁(在线程退出、超时或者停止项目时)
三、过滤器配置
①在xml注册声明以及映射等操作
②在过滤器实现类中实现filter接口
四、过滤器接口介绍
1、init(用来初始化)
2、dofilter(用来执行具体的操作)
此方法是由Servlet容器提供给开发者的,用于对资源请求过滤链的依次调用,通过FilterChain调用过滤链中的下一个过滤 器,如果是最后一个过滤器,则下一个就调用目标资源。
3、destory(用来销毁)
重要备注:::
在web.xml中你能够配置一个filter 到一个或多个servlet;单个servlet或servlet组能够被多个filter 使用.
本次例子会附上:
1、字符集编码格式过滤
2、sql防注入过滤
3、不缓存页面的过滤器
具体的代码案例
一、配置
<filter>//过滤器实现,以及地址 <filter-name>patronliFilter</filter-name>//定义名字 <filter-class>com..servlet.FwpFilter</filter-class>//实现类 </filter> <filter-mapping>//映射过滤器拦截规则 <filter-name>patronliFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> </filter-mapping> //如果想要配置多个拦截器,可以依次向下写
二、具体的实现类以及实现的拦截功能(字符集编码格式过滤)
package com.patronli.servlet;
import java.io.IOException;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringEscapeUtils;
public class patronliFilter implements Filter {
@Override
public void destroy() {
System.out.println("执行了初始化方法......");
}
@Override
public void doFilter(ServletRequest arg0, ServletResponse arg1,
FilterChain arg2) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) arg0;
HttpServletResponse response = (HttpServletResponse) arg1;
// 设置字符集编码
request.setCharacterEncoding("utf-8");
response.setCharacterEncoding("utf-8");
// HttpSession session = request.getSession();
// String url = request.getServletPath();
Map<String, String[]> map = request.getParameterMap();
// 一下方法可以打印出来用户请求和返回的参数以及响应请求地址
// 生产测试遇到问题查起来很方便
System.out.println("请求或响应的地址为:::" + request.getRequestURI());
for (Map.Entry<String, String[]> entry : map.entrySet()) {
for (String str : entry.getValue()) {
System.out.println("请求或响应的参数有:::" + entry.getKey() + ":" + str);
str = StringEscapeUtils.escapeHtml(str);
}
}
// 会去顺序执行当前过滤器下面的过滤
arg2.doFilter(arg0, arg1);
}
@Override
public void init(FilterConfig arg0) throws ServletException {
System.out.println("执行了销毁的方法...");
}
}
(sql防注入过滤)
package com.patronli.servlet;
import java.io.IOException;
import java.util.Enumeration;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.fuiou.fwp.util.ConfigReader;
/**
* 过滤sql关键字的Filter
*
*/
public class PatronliFilter implements Filter {
public void init(FilterConfig filterConfig) throws ServletException {
// throw new UnsupportedOperationException("Not supported yet.");
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
String requestUri = req.getRequestURI();
// 获得所有请求参数名
Enumeration params = req.getParameterNames();
System.out.print(req.getRequestURL());
String str = "";
while (params.hasMoreElements()) {
String name = params.nextElement().toString();
String[] value = req.getParameterValues(name);
for (int i = 0; i < value.length; i++) {
str = str + value[i];
}
}
if (sqlValidate(str)) {
//返回错误页面
res.sendRedirect(req.getContextPath() + "/500.jsp");
} else {
chain.doFilter(req, res);
}
}
// 效验
protected static boolean sqlValidate(String str) {
// 统一转为小写
str = str.toLowerCase();
System.out.println("防sql注入过滤:"+str);
// 过滤掉的sql关键字,可以手动添加
String badStr = "'|and|exec|execute|insert|select|delete|update|count|drop|*|%|chr|mid|master|truncate|"
+ "char|declare|sitename|net user|xp_cmdshell|;|or|+|,|like'|and|exec|execute|insert|create|drop|"
+ "table|from|grant|use|group_concat|column_name|"
+ "information_schema.columns|table_schema|union|where|select|delete|update|order|by|count|*|"
+ "chr|mid|master|truncate|char|declare|or|;|-|--|+|,|like|//|/|%|#|=|(|scrip";
String[] badStrs = badStr.split("\\|");
for (int i = 0; i < badStrs.length; i++) {
if (str.indexOf(badStrs[i]) >= 0) {
System.out.println(str+" ====触犯sql注入规则==》"+badStrs[i]);
return true;
}
}
return false;
}
public void destroy() {
// throw new UnsupportedOperationException("Not supported yet.");
}
}
(不缓存页面的过滤器 -有借鉴)
package com.patronli.servlet;
import java.io.IOException;
import java.util.Enumeration;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.fuiou.fwp.util.ConfigReader;
/**
* 用于的使 Browser 不缓存页面的过滤器
*/
public class patronliFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException,ServletException {
((HttpServletResponse) response).setHeader("Cache-Control","no-cache");
((HttpServletResponse) response).setHeader("Pragma","no-cache");
((HttpServletResponse) response).setDateHeader ("Expires", -1);
filterChain.doFilter(request, response);
}
public void destroy() {
}
public void init(FilterConfig arg0) throws ServletException {
}
}