| 提交 | 用户 | 时间 | ||
| e7c126 | 1 | package com.iailab.framework.xss.config; |
| H | 2 | |
| 3 | import com.iailab.framework.common.enums.WebFilterOrderEnum; | |
| 4 | import com.iailab.framework.xss.core.clean.JsoupXssCleaner; | |
| 5 | import com.iailab.framework.xss.core.clean.XssCleaner; | |
| 6 | import com.iailab.framework.xss.core.filter.XssFilter; | |
| 7 | import com.iailab.framework.xss.core.json.XssStringJsonDeserializer; | |
| 8 | import com.fasterxml.jackson.databind.ObjectMapper; | |
| 9 | import org.springframework.boot.autoconfigure.AutoConfiguration; | |
| 10 | import org.springframework.boot.autoconfigure.condition.ConditionalOnBean; | |
| 11 | import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; | |
| 12 | import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; | |
| 13 | import org.springframework.boot.autoconfigure.jackson.Jackson2ObjectMapperBuilderCustomizer; | |
| 14 | import org.springframework.boot.context.properties.EnableConfigurationProperties; | |
| 15 | import org.springframework.boot.web.servlet.FilterRegistrationBean; | |
| 16 | import org.springframework.context.annotation.Bean; | |
| 17 | import org.springframework.util.PathMatcher; | |
| 18 | import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; | |
| 19 | ||
| 20 | import static com.iailab.framework.web.config.IailabWebAutoConfiguration.createFilterBean; | |
| 21 | ||
| 22 | @AutoConfiguration | |
| 23 | @EnableConfigurationProperties(XssProperties.class) | |
| 24 | @ConditionalOnProperty(prefix = "iailab.xss", name = "enable", havingValue = "true", matchIfMissing = true) // 设置为 false 时,禁用 | |
| 25 | public class IailabXssAutoConfiguration implements WebMvcConfigurer { | |
| 26 | ||
| 27 | /** | |
| 28 | * Xss 清理者 | |
| 29 | * | |
| 30 | * @return XssCleaner | |
| 31 | */ | |
| 32 | @Bean | |
| 33 | @ConditionalOnMissingBean(XssCleaner.class) | |
| 34 | public XssCleaner xssCleaner() { | |
| 35 | return new JsoupXssCleaner(); | |
| 36 | } | |
| 37 | ||
| 38 | /** | |
| 39 | * 注册 Jackson 的序列化器,用于处理 json 类型参数的 xss 过滤 | |
| 40 | * | |
| 41 | * @return Jackson2ObjectMapperBuilderCustomizer | |
| 42 | */ | |
| 43 | @Bean | |
| 44 | @ConditionalOnMissingBean(name = "xssJacksonCustomizer") | |
| 45 | @ConditionalOnBean(ObjectMapper.class) | |
| 46 | @ConditionalOnProperty(value = "iailab.xss.enable", havingValue = "true") | |
| 47 | public Jackson2ObjectMapperBuilderCustomizer xssJacksonCustomizer(XssProperties properties, | |
| 48 | PathMatcher pathMatcher, | |
| 49 | XssCleaner xssCleaner) { | |
| 50 | // 在反序列化时进行 xss 过滤,可以替换使用 XssStringJsonSerializer,在序列化时进行处理 | |
| 51 | return builder -> builder.deserializerByType(String.class, new XssStringJsonDeserializer(properties, pathMatcher, xssCleaner)); | |
| 52 | } | |
| 53 | ||
| 54 | /** | |
| 55 | * 创建 XssFilter Bean,解决 Xss 安全问题 | |
| 56 | */ | |
| 57 | @Bean | |
| 58 | @ConditionalOnBean(XssCleaner.class) | |
| 59 | public FilterRegistrationBean<XssFilter> xssFilter(XssProperties properties, PathMatcher pathMatcher, XssCleaner xssCleaner) { | |
| 60 | return createFilterBean(new XssFilter(properties, pathMatcher, xssCleaner), WebFilterOrderEnum.XSS_FILTER); | |
| 61 | } | |
| 62 | ||
| 63 | } | |
