j2ee安全問題（springmvc xss 文件上傳類型限制 resin banner修改）

安全問題很多，這裏介紹三方面：
1.xss過慮
2.spring中文件類型上傳限制
3.resin banner修改（服務器的信息修改）《@中國人叔叔-lt》
第一、XSS過慮
web項目的xss過慮可以創建一個過慮器，解析request裏面的參數，判斷如果有特殊的就替換掉。那網上有一個貼子是這樣實現的springmvc xss解決方案,很多人怕麻煩喜歡代碼一貼問題就解決了。那有的時候總是會碰到問題的，那這裏我就舉一個例子。springmvc 做上傳時會把ServletRequest對象轉換成MultipartHttpServletRequest對象，而你在處理xss時已經把ServletRequest轉爲XssHttpServletRequestWrapper。那過慮完之後到了controller轉MultipartHttpServletRequest就會報錯了。所以在處理xss時，可以簡單的處理一下，當是上傳文件時就不做XSS過慮。代碼如下：

package Interceptors.xss;

        import common.exception.FileTypeErrorException;
        import common.http.XssHttpServletRequestWrapper;
        import org.springframework.web.multipart.MultipartFile;
        import org.springframework.web.multipart.MultipartHttpServletRequest;

        import javax.servlet.*;
        import javax.servlet.http.HttpServletRequest;
        import java.io.IOException;
        import java.util.Iterator;
        import java.util.Map;

/**
 * Created by 18621 on 2017/7/25.
 */
public class XssFilter implements Filter {

    FilterConfig filterConfig = null;

    public void init(FilterConfig filterConfig) throws ServletException {
        this.filterConfig = filterConfig;
    }

    public void destroy() {
        this.filterConfig = null;
    }

    public void doFilter(ServletRequest request, ServletResponse response,
                         FilterChain chain) throws IOException, ServletException {
        String contentType = request.getContentType();
        //如果是上傳不用生成XSSHTTP對象
        if (contentType != null && contentType.toLowerCase().startsWith("multipart/")) {
            chain.doFilter(request, response);
        }
        chain.doFilter(new XssHttpServletRequestWrapper(
                (HttpServletRequest) request), response);
    }

}

第二、springmvc中文件類型上傳的限制,創建攔截器過慮代碼如下：
`package Interceptors.fileupload;

import common.exception.FileTypeErrorException;
import common.tools.StringFacs;
import org.springframework.web.multipart.MultipartFile;
import org.springframework.web.multipart.MultipartHttpServletRequest;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.Iterator;
import java.util.Map;

/**
* @author liting
* @version Revision:1.8 2014-2-26
* @author (Date:2015/11/1309:06:19 modification by Author:liting )
* @since 1.0,登錄欄截器,所有請求個人信息和許可申請/*的URL都跳到這個欄截器
*/
public class FileUploadInterceptors implements HandlerInterceptor {

//preHandle方案返回true表示正常跳轉到本來要訪問的請求，false 則不請求內部處理 
public boolean preHandle(HttpServletRequest request,HttpServletResponse response, Object handler) throws Exception {
    boolean flag= true;
    // 判斷是否爲文件上傳請求
    if (request instanceof MultipartHttpServletRequest) {
        MultipartHttpServletRequest multipartRequest =
                (MultipartHttpServletRequest) request;
        Map<String, MultipartFile> files =
                multipartRequest.getFileMap();
        Iterator<String> iterator = files.keySet().iterator();
        //對多部件請求資源進行遍歷
        while (iterator.hasNext()) {
            String formKey = (String) iterator.next();
            MultipartFile multipartFile =
                    multipartRequest.getFile(formKey);
            String filename=multipartFile.getOriginalFilename();
            //判斷是否爲限制文件類型
            if (! checkFile(filename)) {
                flag = false;
            }
        }
    }

    return flag;
} 
public void postHandle(HttpServletRequest request,
        HttpServletResponse response, Object handler,
        ModelAndView modelAndView) throws Exception {
    //System.out.println("Post-handle");
}

public void afterCompletion(HttpServletRequest request,
        HttpServletResponse response, Object handler, Exception ex)
        throws Exception {
    //System.out.println("After completion handle");
}
/**
 * 判斷是否爲允許的上傳文件類型,true表示允許
 */
private boolean checkFile(String fileName) {
    //設置允許上傳文件類型
    String suffixList = "jpg,gif,png,ico,bmp,jpeg,zip,zp,rar,doc,docx,excel,xls,xlxs";
    // 獲取文件後綴
    String suffix = fileName.substring(fileName.lastIndexOf(".")
            + 1, fileName.length());
    if (suffixList.contains(suffix.trim().toLowerCase())) {
        return true;
    }
    return false;
}

}

`
第三、resin banner修改
resin banner信息是啥呢，在瀏覽器中調試的時候你可以看到服務器的信息，比如是什麼服務器，版本號等。這些信息可能作爲黑客的輔助信息。應該修改爲錯誤 的信息。resin中lib下面有resin.jar。修改包中的Version.class,反編譯之後修改了再複製到JAR包

//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by Fernflower decompiler)
//

package com.caucho;

public final class Version {
    public static final String COPYRIGHT = "Copyright(c) 1998-2008 Caucho Technology.  All rights reserved.";
    public static String FULL_VERSION = "Resin-3.1.12 (built Mon, 13 Oct 2014 06:45:33 PDT)";
    public static String VERSION = "3.1.12";
    public static String VERSION_DATE = "20141013T064533";

    public Version() {
    }

    public static void main(String[] argv) {
        System.out.println(FULL_VERSION);
        System.out.println("Copyright(c) 1998-2008 Caucho Technology.  All rights reserved.");
    }
}