java.lang.Object
jakarta.servlet.ServletRequestWrapper
jakarta.servlet.http.HttpServletRequestWrapper
org.miaixz.bus.spring.http.MutableRequestWrapper
- All Implemented Interfaces:
jakarta.servlet.http.HttpServletRequest,jakarta.servlet.ServletRequest
public class MutableRequestWrapper
extends jakarta.servlet.http.HttpServletRequestWrapper
请求包装器,用于缓存请求体内容并防止XSS攻击。
该类继承自HttpServletRequestWrapper,主要功能包括:
- 缓存请求体内容,使得请求体可以被多次读取
- 对请求参数和请求头进行XSS过滤,防止跨站脚本攻击
- 记录请求参数日志,便于调试和问题排查
使用示例:
// 在过滤器中使用
public class XSSFilter implements Filter {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
// 包装请求
CacheRequestWrapper wrappedRequest = new CacheRequestWrapper((HttpServletRequest) request);
// 继续过滤器链
chain.doFilter(wrappedRequest, response);
}
}
- Since:
- Java 17+
- Author:
- Kimi Liu
-
Field Summary
FieldsModifier and TypeFieldDescriptionbyte[]缓存的请求体内容缓存的请求体类型org.miaixz.bus.spring.http.MutableRequestWrapper.ServletInputStreamWrapper自定义的Servlet输入流包装器jakarta.servlet.http.HttpServletRequest缓存的请求体类型Fields inherited from interface jakarta.servlet.http.HttpServletRequest
BASIC_AUTH, CLIENT_CERT_AUTH, DIGEST_AUTH, FORM_AUTH -
Constructor Summary
ConstructorsConstructorDescriptionMutableRequestWrapper(jakarta.servlet.http.HttpServletRequest request) 构造方法,初始化请求包装器。 -
Method Summary
Modifier and TypeMethodDescriptionbyte[]getBody()获取缓存的请求体内容。获取缓存的请求体内容。获取指定请求头的值,并对非JSON格式的请求头值进行XSS过滤。jakarta.servlet.ServletInputStream获取自定义的Servlet输入流。getParameter(String name) 获取指定参数名的参数值,并对非JSON格式的参数值进行XSS过滤。String[]getParameterValues(String parameter) 获取指定参数名的所有参数值,并对非JSON格式的参数值进行XSS过滤。获取请求体的BufferedReader。jakarta.servlet.http.HttpServletRequest获取自定义的Servlet输入流。Methods inherited from class jakarta.servlet.http.HttpServletRequestWrapper
authenticate, changeSessionId, getAuthType, getContextPath, getCookies, getDateHeader, getHeaderNames, getHeaders, getHttpServletMapping, getIntHeader, getMethod, getPart, getParts, getPathInfo, getPathTranslated, getQueryString, getRemoteUser, getRequestedSessionId, getRequestURI, getRequestURL, getServletPath, getSession, getSession, getTrailerFields, getUserPrincipal, isRequestedSessionIdFromCookie, isRequestedSessionIdFromURL, isRequestedSessionIdValid, isTrailerFieldsReady, isUserInRole, login, logout, newPushBuilder, upgradeMethods inherited from class jakarta.servlet.ServletRequestWrapper
getAsyncContext, getAttribute, getAttributeNames, getCharacterEncoding, getContentLength, getContentLengthLong, getDispatcherType, getLocalAddr, getLocale, getLocales, getLocalName, getLocalPort, getParameterMap, getParameterNames, getProtocol, getProtocolRequestId, getRemoteAddr, getRemoteHost, getRemotePort, getRequestDispatcher, getRequestId, getScheme, getServerName, getServerPort, getServletConnection, getServletContext, isAsyncStarted, isAsyncSupported, isSecure, isWrapperFor, isWrapperFor, removeAttribute, setAttribute, setCharacterEncoding, setCharacterEncoding, setRequest, startAsync, startAsyncMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface jakarta.servlet.ServletRequest
getAsyncContext, getAttribute, getAttributeNames, getCharacterEncoding, getContentLength, getContentLengthLong, getDispatcherType, getLocalAddr, getLocale, getLocales, getLocalName, getLocalPort, getParameterMap, getParameterNames, getProtocol, getProtocolRequestId, getRemoteAddr, getRemoteHost, getRemotePort, getRequestDispatcher, getRequestId, getScheme, getServerName, getServerPort, getServletConnection, getServletContext, isAsyncStarted, isAsyncSupported, isSecure, removeAttribute, setAttribute, setCharacterEncoding, setCharacterEncoding, startAsync, startAsync
-
Field Details
-
request
public jakarta.servlet.http.HttpServletRequest request缓存的请求体类型 -
contentType
缓存的请求体类型 -
body
public byte[] body缓存的请求体内容 -
inputStreamWrapper
public org.miaixz.bus.spring.http.MutableRequestWrapper.ServletInputStreamWrapper inputStreamWrapper自定义的Servlet输入流包装器
-
-
Constructor Details
-
MutableRequestWrapper
构造方法,初始化请求包装器。该方法会读取并缓存请求体内容,初始化自定义的输入流包装器,并记录请求参数日志。
- Parameters:
request- 原始HTTP请求对象- Throws:
IOException- 如果读取请求体时发生I/O错误
-
-
Method Details
-
getBody
public byte[] getBody()获取缓存的请求体内容。- Returns:
- 请求体内容的字节数组
-
getContentType
获取缓存的请求体内容。- Specified by:
getContentTypein interfacejakarta.servlet.ServletRequest- Overrides:
getContentTypein classjakarta.servlet.ServletRequestWrapper- Returns:
- 请求体内容的字节数组
-
getRequest
public jakarta.servlet.http.HttpServletRequest getRequest()获取自定义的Servlet输入流。- Overrides:
getRequestin classjakarta.servlet.ServletRequestWrapper- Returns:
- 自定义的Servlet输入流
-
getInputStream
public jakarta.servlet.ServletInputStream getInputStream()获取自定义的Servlet输入流。- Specified by:
getInputStreamin interfacejakarta.servlet.ServletRequest- Overrides:
getInputStreamin classjakarta.servlet.ServletRequestWrapper- Returns:
- 自定义的Servlet输入流
-
getReader
获取请求体的BufferedReader。- Specified by:
getReaderin interfacejakarta.servlet.ServletRequest- Overrides:
getReaderin classjakarta.servlet.ServletRequestWrapper- Returns:
- 请求体的BufferedReader
-
getParameterValues
获取指定参数名的所有参数值,并对非JSON格式的参数值进行XSS过滤。- Specified by:
getParameterValuesin interfacejakarta.servlet.ServletRequest- Overrides:
getParameterValuesin classjakarta.servlet.ServletRequestWrapper- Parameters:
parameter- 参数名- Returns:
- 过滤后的参数值数组
-
getParameter
获取指定参数名的参数值,并对非JSON格式的参数值进行XSS过滤。- Specified by:
getParameterin interfacejakarta.servlet.ServletRequest- Overrides:
getParameterin classjakarta.servlet.ServletRequestWrapper- Parameters:
name- 参数名- Returns:
- 过滤后的参数值
-
getHeader
获取指定请求头的值,并对非JSON格式的请求头值进行XSS过滤。- Specified by:
getHeaderin interfacejakarta.servlet.http.HttpServletRequest- Overrides:
getHeaderin classjakarta.servlet.http.HttpServletRequestWrapper- Parameters:
name- 请求头名- Returns:
- 过滤后的请求头值
-