xssFilter增加白名单配置

src/main/java/net/chenlin/dp/common/support/config/WebConfig.java

@@ -20,8 +20,8 @@ import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
-import javax.servlet.DispatcherType;
 import java.io.File;
+import java.util.Arrays;
 import java.util.Properties;
 
 /**
@@ -77,7 +77,6 @@ public class WebConfig implements WebMvcConfigurer, ErrorPageRegistrar {
         registration.setFilter(new DelegatingFilterProxy("shiroFilter"));
         //该值缺省为false，表示生命周期由SpringApplicationContext管理，设置为true则表示由ServletContainer管理
         registration.addInitParameter("targetFilterLifecycle", "true");
-        registration.setEnabled(true);
         registration.setOrder(Integer.MAX_VALUE - 1);
         registration.addUrlPatterns("/*");
         return registration;
@@ -89,12 +88,10 @@ public class WebConfig implements WebMvcConfigurer, ErrorPageRegistrar {
      */
     @Bean
     public FilterRegistrationBean xssFilterRegistration() {
-        FilterRegistrationBean registration = new FilterRegistrationBean();
-        registration.setDispatcherTypes(DispatcherType.REQUEST);
-        registration.setFilter(new XssFilter());
+        XssFilter xssFilter = new XssFilter();
+//        xssFilter.setUrlExclusion(Arrays.asList("/rest/testAnon"));
+        FilterRegistrationBean registration = new FilterRegistrationBean(xssFilter);
         registration.addUrlPatterns("/*");
-        registration.setName("xssFilter");
-        registration.setOrder(Integer.MAX_VALUE);
         return registration;
     }
 

src/main/java/net/chenlin/dp/common/xss/XssFilter.java

@@ -3,6 +3,7 @@ package net.chenlin.dp.common.xss;
 import javax.servlet.*;
 import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
+import java.util.List;
 
 /**
  * XSS过滤
@@ -10,19 +11,38 @@ import java.io.IOException;
  */
 public class XssFilter implements Filter {
 
+	private FilterConfig filterConfig = null;
+
+	private List<String> urlExclusion = null;
+
 	@Override
-	public void init(FilterConfig config) throws ServletException {
+	public void init(FilterConfig config) {
+		this.filterConfig = config;
 	}
 
 	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
             throws IOException, ServletException {
-		XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(
-				(HttpServletRequest) request);
-		chain.doFilter(xssRequest, response);
+		HttpServletRequest httpServletRequest = (HttpServletRequest) request;
+		String servletPath = httpServletRequest.getServletPath();
+		httpServletRequest.getParameterMap();
+		if (!urlExclusion.isEmpty() && urlExclusion.contains(servletPath)) {
+			chain.doFilter(request, response);
+		} else {
+			chain.doFilter(new XssHttpServletRequestWrapper(httpServletRequest), response);
+		}
 	}
 
 	@Override
 	public void destroy() {
+		this.filterConfig = null;
+	}
+
+	public List<String> getUrlExclusion() {
+		return urlExclusion;
+	}
+
+	public void setUrlExclusion(List<String> urlExclusion) {
+		this.urlExclusion = urlExclusion;
 	}
 
 }