public class SecurityFilter extends JcmsServletFilter implements javax.servlet.Filter
<filter> <filter-name>securityFilter</filter-name> <filter-class>com.jalios.jcms.servlet.SecurityFilter</filter-class> <init-param> <param-name>enabled</param-name> <param-value>true</param-value> </init-param> <!-- 1. should we filter redirect value ? --> <init-param> <param-name>filterRedirect</param-name> <param-value>true</param-value> </init-param> <!-- List of valid redirect start value. You should make a combination of all possible: - scheme (http/https) - ports (none, 80, 443) - domains and ip (jalios.com, www.jalios.com, ) - path (/) --> <init-param> <param-name>validRedirectURLs</param-name> <param-value> http://localhost:8080/jcms/ http://127.0.0.1:8080/jcms/ </param-value> </init-param> <!-- List of valid redirect perl5 regular expression pattern. --> <init-param> <param-name>validRedirectURLsRegexp</param-name> <param-value> https?://(127\.0\.0\.1|localhost)/jcms/.* https?://(127\.0\.0\.1|localhost):(8080|8443)/jcms/.* </param-value> </init-param> <!-- 2. should we filter XSS attempts ? --> <init-param> <param-name>filterXSS</param-name> <param-value>true</param-value> </init-param> <!-- List of params to check for XSS attempts. --> <init-param> <param-name>paramsToCheckForXSS</param-name> <param-value>redirect id portal</param-value> </init-param> <!-- Optional redirect URL (relative to the webapp or absolute) used when security error is detected --> <init-param> <param-name>redirectURL</param-name> <param-value>custom/reportSecurityError.jsp</param-value> </init-param>And add this filter mapping:
<filter-mapping> <filter-name>securityFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>Here is an example of jsp in which you can display informations about the hacking attempt:
<%@ include file='/jcore/doInitPage.jsp' %> <% String invalidRedirect = (String) session.getAttribute(SecurityFilter.INVALID_REDIRECT_KEY); session.removeAttribute(SecurityFilter.INVALID_REDIRECT_KEY); String invalidParam = (String) session.getAttribute(SecurityFilter.INVALID_PARAM_KEY); session.removeAttribute(SecurityFilter.INVALID_PARAM_KEY); %> Someone is trying to hack this site.<br /> redirect: <%= Util.escapeHtml(invalidRedirect) %><br /> param: <%= Util.escapeHtml(invalidParam) %>
Modifier and Type | Field and Description |
---|---|
static java.lang.String |
INVALID_PARAM_KEY
session attribute key used when a invalid param is detected
|
static java.lang.String |
INVALID_REDIRECT_KEY
session attribute key used when a invalid redirect is detected
|
static java.lang.String |
REVISION |
Constructor and Description |
---|
SecurityFilter() |
Modifier and Type | Method and Description |
---|---|
void |
destroy()
Implementation of
Filter.destroy() method. |
void |
doFilter(javax.servlet.ServletRequest req,
javax.servlet.ServletResponse res,
javax.servlet.FilterChain chain)
Implementation of
Filter.doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) method. |
void |
init(javax.servlet.FilterConfig conf)
Implementation of
Filter.init(javax.servlet.FilterConfig) method. |
endFilter, initJSONBridge, processFilter
public static final java.lang.String REVISION
public static final java.lang.String INVALID_REDIRECT_KEY
public static final java.lang.String INVALID_PARAM_KEY
public void init(javax.servlet.FilterConfig conf) throws javax.servlet.ServletException
Filter.init(javax.servlet.FilterConfig)
method.init
in interface javax.servlet.Filter
javax.servlet.ServletException
public void destroy()
Filter.destroy()
method.destroy
in interface javax.servlet.Filter
public void doFilter(javax.servlet.ServletRequest req, javax.servlet.ServletResponse res, javax.servlet.FilterChain chain) throws java.io.IOException, javax.servlet.ServletException
Filter.doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
method.doFilter
in interface javax.servlet.Filter
java.io.IOException
javax.servlet.ServletException
Copyright © 2001-2010 Jalios SA. All Rights Reserved.