有时候需要对网站进行控制,防止输出非法内容或者敏感信息。这时我们可以使用filter来进行内容替换,其工作原理为,在Servlet将内容输出到response时,response将内容缓存起来,在Filter中进行替换,然后再输出到客户浏览器。由于默认的response并不能严格的缓存输出内容,因此需要自定义一个具备缓存功能的response。
可以通过扩展javax.servlet.http.HttpServletResponseWrapper类来实现自定义response。该类实现了javax.servlet.http.HttpServletResponse接口的所有方法,根据需要覆盖其中相应的方法即可,代码如下:HttpServletResponseWrapper.java
1 package com.yzj.response; 2 3 import java.io.CharArrayWriter; 4 import java.io.PrintWriter; 5 6 import javax.servlet.http.HttpServletResponse; 7 import javax.servlet.http.HttpServletResponseWrapper; 8 9 public class HttpCharacterResponseWrapper extends 10 HttpServletResponseWrapper {11 private CharArrayWriter charArrayWriter = new CharArrayWriter();12 //字符数组Writer13 14 public HttpCharacterResponseWrapper(HttpServletResponse response) {15 super(response);16 // TODO Auto-generated constructor stub17 }18 19 public PrintWriter getWriter(){//覆盖父类方法20 return new PrintWriter(charArrayWriter);21 }//返回字符数组Writer,缓存内容22 23 public CharArrayWriter getCharArrayWriter() {24 return charArrayWriter;//getter方法25 }26 }
View Code
该类覆盖了getWriter()方法,当servlet中使用该response对象调用getWriter()方法来输出内容时,内容将会被输出到CharArrayWriter对象中,达到缓存效果。
Filter中需要自定义的response传进servlet中,代码如下:OutputReplaceFilter.java
1 package com.yzj.filter; 2 3 import java.io.FileInputStream; 4 import java.io.FileNotFoundException; 5 import java.io.IOException; 6 import java.io.PrintWriter; 7 import java.util.Properties; 8 9 import javax.servlet.Filter;10 import javax.servlet.FilterChain;11 import javax.servlet.FilterConfig;12 import javax.servlet.ServletException;13 import javax.servlet.ServletRequest;14 import javax.servlet.ServletResponse;15 import javax.servlet.http.HttpServletResponse;16 import com.yzj.response.HttpCharacterResponseWrapper;17 18 public class OutputReplaceFilter implements Filter {19 20 private Properties pp = new Properties();21 //非法词、敏感词,配置在初始化参数中22 23 @Override24 public void destroy() {25 // TODO Auto-generated method stub26 27 }28 29 @Override30 public void doFilter(ServletRequest request, ServletResponse response,31 FilterChain chain) throws IOException, ServletException {32 HttpCharacterResponseWrapper responseWrapper = new HttpCharacterResponseWrapper((HttpServletResponse) response);33 34 chain.doFilter(request, responseWrapper); //doFilter,使用自定义response35 36 String output = responseWrapper.getCharArrayWriter().toString();37 //得到responseWrapper输出内容38 39 for(Object obj:pp.keySet()){40 //遍历所有敏感词41 String key = (String) obj;42 output = output.replace(key, pp.getProperty(key));//替换敏感词43 }44 PrintWriter out = response.getWriter();45 //通过原来的response的getWriter()方法输出46 out.write(output);47 out.println("<!--Generated at"+new java.util.Date()+"-->");48 49 }50 51 @Override52 public void init(FilterConfig filterConfig) throws ServletException {53 //初始化时54 String file = filterConfig.getInitParameter("file"); //配置文件的位置55 String realPath = filterConfig.getServletContext().getRealPath(file);56 //文件得实际位置57 58 try {59 pp.load(new FileInputStream(realPath));60 } catch (FileNotFoundException e) {61 // TODO Auto-generated catch block62 e.printStackTrace();63 } catch (IOException e) {64 // TODO Auto-generated catch block65 e.printStackTrace();66 }67 68 }69 70 }
View Code
本例中,自定义的response只是一个“伪装”的response。Servlet会通过它输出内容到客户端,但是它的内容只是将内容缓存起来了,并没有真正输出到客户端。最终输出到客户端还是通过原来的response完成。
非法词库配置在properties文件中,通过Filter初始化参数传给内容替换Filter。该properties文件内容如下:sensitive.properties
1 #amend2 Chna = China3 www.baidu.com.cn = ww.baidu.com4 5 #replace 6 色情 = **7 ** = **8 ** = **
View Code
内容替换Filter的配置文件。web.
1 <filter> 2 <filter-name>OutputReplaceFilter</filter-name> 3 <filter-class> 4 com.yzj.filter.OutputReplaceFilter 5 </filter-class> 6 <init-param> 7 <param-name>file</param-name> 8 <param-value>/WEB-INF/sensitive.properties</param-value> 9 </init-param>10 </filter>11 12 <filter-mapping>13 <filter-name>OutputReplaceFilter</filter-name>14 <url-pattern>*.jsp</url-pattern>15 </filter-mapping>
View Code
jsp文件代码如下:replace.jsp
1 <%@ page language="java" contentType="text/html; charset=UTF-8" %> 2 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> 3 <html> 4 <head> 5 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> 6 <title>Insert title here</title> 7 </head> 8 <body> 9 10 Chna <br/>11 <br/>12 色情 <br/>13 ** <br/>14 ** <br/>15 <br/>16 www.baidu.com.cn <br/>17 18 </body>19 </html>
View Code
原标题:内容替换Filter
关键词: