当前位置:   article > 正文

Spring过滤json中的XSS_springmvc防止json内容xss

springmvc防止json内容xss

spring处理json是通过MappingJackson2HttpMessageConverter实现的。

而MappingJackson2HttpMessageConverter中的read()和writeInternal()分别对应json的请求和响应。

也就是说我们的过滤工作就这两个方法中展开。

writeInternal首先创建一个类并继承MappingJackson2HttpMessageConverter,我创建的是XSSMappingJackson2HttpMessageConverter

在spring-mvc.xml中找到

<bean id="mappingJacksonHttpMessageConverter"
class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter">

//中间省略

</bean>
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6

将MappingJackson2HttpMessageConverter替换成XSSMappingJackson2HttpMessageConverter

打开XSSMappingJackson2HttpMessageConverter,重写read()

@Override
public Object read(Type type, Class<?> contextClass,
HttpInputMessage inputMessage) throws IOException,
HttpMessageNotReadableException {
JavaType javaType = getJavaType(type, contextClass);
Object obj = readJavaType(javaType, inputMessage);
String json = super.getObjectMapper().writeValueAsString(obj);
json = cleanXSS(json.toString());
Object obj1 = super.getObjectMapper().readValue(json, javaType);
return obj1;
}


// 这个就是父类的readJavaType方法,由于父类该方法是private的,所以我们copy一个用
private Object readJavaType(JavaType javaType, HttpInputMessage inputMessage) {
try {
return super.getObjectMapper().readValue(inputMessage.getBody(),
javaType);
} catch (IOException ex) {
throw new HttpMessageNotReadableException("Could not read JSON: "
+ ex.getMessage(), ex);
}
}


private String cleanXSS(String value) {
return Jsoup.clean(value.toString(), Whitelist.relaxed());
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28

以上RequestBody的XSS过滤就完成,接下来是ResponseBody的过滤

// 重写writeInternal方法,在返回内容前首先进行加密
@Override
protected void writeInternal(Object object, HttpOutputMessage outputMessage)
throws IOException, HttpMessageNotWritableException {
// 使用Jackson的ObjectMapper将Java对象转换成Json String
String json = super.getObjectMapper().writeValueAsString(object);
String result = cleanXSS(json.toString());
// 输出
outputMessage.getBody().write(result.getBytes());
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10

完整代码

package com.meadin.funding.filter;


import java.io.IOException;
import java.lang.reflect.Type;


import org.jsoup.Jsoup;
import org.jsoup.safety.Whitelist;
import org.springframework.http.HttpInputMessage;
import org.springframework.http.HttpOutputMessage;
import org.springframework.http.converter.HttpMessageNotReadableException;
import org.springframework.http.converter.HttpMessageNotWritableException;
import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;


import com.fasterxml.jackson.databind.JavaType;
import com.fasterxml.jackson.databind.ObjectMapper;


public class XSSMappingJackson2HttpMessageConverter extends
MappingJackson2HttpMessageConverter {


@Override
public Object read(Type type, Class<?> contextClass,
HttpInputMessage inputMessage) throws IOException,
HttpMessageNotReadableException {
JavaType javaType = getJavaType(type, contextClass);
Object obj = readJavaType(javaType, inputMessage);
String json = super.getObjectMapper().writeValueAsString(obj);
String result = cleanXSS(json.toString());
Object resultObj = super.getObjectMapper().readValue(result, javaType);
return resultObj;
}


// 这个就是父类的readJavaType方法,由于父类该方法是private的,所以我们copy一个用
private Object readJavaType(JavaType javaType, HttpInputMessage inputMessage) {
try {
return super.getObjectMapper().readValue(inputMessage.getBody(),
javaType);
} catch (IOException ex) {
throw new HttpMessageNotReadableException("Could not read JSON: "
+ ex.getMessage(), ex);
}
}


// 重写writeInternal方法,在返回内容前首先进行加密
@Override
protected void writeInternal(Object object, HttpOutputMessage outputMessage)
throws IOException, HttpMessageNotWritableException {
// 使用Jackson的ObjectMapper将Java对象转换成Json String
String json = super.getObjectMapper().writeValueAsString(object);
String result = cleanXSS(json.toString());
// 输出
outputMessage.getBody().write(result.getBytes());
}


private String cleanXSS(String value) {
return Jsoup.clean(value.toString(), Whitelist.relaxed());
}
}

<!--避免IE执行AJAX时,返回JSON出现下载文件 -->
<bean id="mappingJacksonHttpMessageConverter"
class="com.meadin.funding.filter.XSSMappingJackson2HttpMessageConverter">
<property name="supportedMediaTypes">
<list>
<value>text/html;charset=UTF-8</value>
<!-- 要返回json格式正常必须设置为application/json;charset=UTF-8 -->
<value>application/json;charset=UTF-8</value>
</list>
</property>
<property name="objectMapper">
<bean class="com.fasterxml.jackson.databind.ObjectMapper">
<!-- 属性值为null时隐藏 -->
<property name="serializationInclusion">
<value type="com.fasterxml.jackson.annotation.JsonInclude.Include">NON_NULL</value>
</property>
<!-- 处理responseBody 里面日期类型 -->
<property name="dateFormat">
<bean class="java.text.SimpleDateFormat">
<constructor-arg type="java.lang.String" value="yyyy-MM-dd HH:mm:ss" />
</bean>
</property>
</bean>
</property>
</bean>
<!-- 配合在实体类中的注解,将string类型自动转换成date类型存储 -->
<mvc:annotation-driven>
<mvc:message-converters>
<ref bean="mappingJacksonHttpMessageConverter" />
</mvc:message-converters>
</mvc:annotation-driven>
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97

有关资料:

http://www.scienjus.com/custom-http-message-converter/

http://www.scienjus.com/spring-mvc-use-skill/#disqus_thread

http://ju.outofmemory.cn/entry/63726

http://blog.csdn.net/cdnight/article/details/24415275

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/木道寻08/article/detail/921527
推荐阅读
相关标签
  

闽ICP备14008679号