问题描述:
使用Ruoyi的demo部署成功后,发现js、css等静态文件都进入了过滤器,修改application.yml:
xss:# 过滤开关enabled:true# 排除链接(多个用逗号分隔)# 手动增加.*\\.css,.*\\.jpg,.*\\.js,.*\\.map,注意使用的是正则表达式excludes: /system/notice/*,.*\\.css,.*\\.jpg,.*\\.js,.*\\.map# 匹配链接urlPatterns: /system/*,/monitor/*,/tool/*自动重启应用后发现过XssFilter.java已经排除了静态文件了。
但是发现静态文件没有使用浏览器缓存,新建BrowserCacheFilter.java并增加@WebFilter处理:
package com.ruoyi.framework.config;import java.io.IOException;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.annotation.WebFilter;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import org.springframework.core.annotation.Order;import org.springframework.stereotype.Component;@WebFilter(filterName="browserCacheFilter", urlPatterns={"*.css","*.jpg","*.js"})publicclassBrowserCacheFilterimplementsFilter{@Overridepublicvoidinit(FilterConfig filterConfig)throws ServletException{
Filter.super.init(filterConfig);}publicvoiddoFilter(ServletRequest req,ServletResponse res,FilterChain chain)throws IOException,ServletException{
HttpServletRequest request=(HttpServletRequest)req;
HttpServletResponse response=(HttpServletResponse)res;// response.addHeader("Cache-Control","no-cache");// response.addHeader("Expires","Thu, 01 Jan 1970 00:00:00 GMT");
response.addHeader("Cache-Control","max-age=86400");//86400s=24h
chain.doFilter(request,response);}}应用自动重启后发现@WebFilter无效!
解决方案:
方案1:BrowserCacheFilter.java增加@Component 或 @Configuration
@Component@WebFilter(filterName="browserCacheFilter", urlPatterns={"*.css","*.jpg","*.js"})publicclassBrowserCacheFilterimplementsFilter{处理结果:重启后可以进入到init方法,但@WebFilter的urlPatterns无效,准确地说,是@WebFilter仍然无效。
方案2:FilterConfig.java增加@Bean
package com.ruoyi.framework.config;import java.util.HashMap;import java.util.Map;import javax.servlet.DispatcherType;import org.nutz.lang.Lang;import org.springframework.beans.factory.annotation.Value;import org.springframework.boot.web.servlet.FilterRegistrationBean;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import com.ruoyi.common.utils.StringUtils;import com.ruoyi.common.xss.XssFilter;/**
* Filter配置
*
* @author ruoyi
*/@ConfigurationpublicclassFilterConfig{@Value("${xss.enabled}")private String enabled;@Value("${xss.excludes}")private String excludes;@Value("${xss.urlPatterns}")private String urlPatterns;@SuppressWarnings({"rawtypes","unchecked"})@Beanpublic FilterRegistrationBeanxssFilterRegistration(){
FilterRegistrationBean registration=newFilterRegistrationBean();
registration.setDispatcherTypes(DispatcherType.REQUEST);
registration.setFilter(newXssFilter());
registration.addUrlPatterns(StringUtils.split(urlPatterns,","));
registration.setName("xssFilter");
registration.setOrder(Integer.MAX_VALUE);
Map<String, String> initParameters=newHashMap<String, String>();
initParameters.put("excludes", excludes);
initParameters.put("enabled", enabled);
registration.setInitParameters(initParameters);return registration;}/**增加BrowserCacheFilter过滤器*/@Beanpublic FilterRegistrationBeanbrowserCacheFilterRegistration(){
FilterRegistrationBean registration=newFilterRegistrationBean();
registration.setFilter(newBrowserCacheFilter());
registration.addUrlPatterns("*.css","*.js","*.jpg","*.png","");return registration;}}重启后能进入到init方法,并按【registration.addUrlPatterns(".css",".js",".jpg",".png","")】设置过滤静态文件。
方案3:RuoYiApplication.java增加@ServletComponentScan
package com.ruoyi;import org.springframework.boot.SpringApplication;import org.springframework.boot.autoconfigure.SpringBootApplication;import org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration;import org.springframework.boot.web.servlet.ServletComponentScan;/**
* 启动程序
* @author ruoyi
*/@SpringBootApplication(exclude={ DataSourceAutoConfiguration.class})@ServletComponentScanpublicclassRuoYiApplication{publicstaticvoidmain(String[] args){// System.setProperty("spring.devtools.restart.enabled", "false");
SpringApplication.run(RuoYiApplication.class, args);...}}应用重启后能识别和处理@WebFilter注解,能进入init方法并根据urlPatterns过滤静态文件。
方案4:在FilterConfig.java增加@ServletComponentScan
package com.ruoyi.framework.config;import java.util.HashMap;import java.util.Map;import javax.servlet.DispatcherType;import org.springframework.beans.factory.annotation.Value;import org.springframework.boot.web.servlet.FilterRegistrationBean;import org.springframework.boot.web.servlet.ServletComponentScan;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import com.ruoyi.common.utils.StringUtils;import com.ruoyi.common.xss.XssFilter;/**
* Filter配置
* @author ruoyi
*/@Configuration@ServletComponentScanpublicclassFilterConfig{@Value("${xss.enabled}")private String enabled;@Value("${xss.excludes}")private String excludes;@Value("${xss.urlPatterns}")private String urlPatterns;@SuppressWarnings({"rawtypes","unchecked"})@Beanpublic FilterRegistrationBeanxssFilterRegistration(){
FilterRegistrationBean registration=newFilterRegistrationBean();
registration.setDispatcherTypes(DispatcherType.REQUEST);
registration.setFilter(newXssFilter());
registration.addUrlPatterns(StringUtils.split(urlPatterns,","));
registration.setName("xssFilter");
registration.setOrder(Integer.MAX_VALUE);
Map<String, String> initParameters=newHashMap<String, String>();
initParameters.put("excludes", excludes);
initParameters.put("enabled", enabled);
registration.setInitParameters(initParameters);return registration;}}应用重启后能识别和处理@WebFilter注解,能进入init方法并根据urlPatterns过滤静态文件。方案4只扫描该目录或其子目录的@WebFilter,其他目录不会扫描。
总结:
比较以上4个方案,方案4是最理想的解决方案。