xss加入配置文件

src/main/java/com/ruoyi/common/constant/ShiroConstants.java

@@ -45,7 +45,7 @@ public interface ShiroConstants
     /**
      * 验证码开关
      */
-    public static final String CURRENT_EBABLED = "captchaEbabled";
+    public static final String CURRENT_ENABLED = "captchaEnabled";
 
     /**
      * 验证码开关

src/main/java/com/ruoyi/common/xss/XssFilter.java

@@ -11,7 +11,6 @@ import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
-import javax.servlet.annotation.WebFilter;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import com.ruoyi.common.utils.StringUtils;
@@ -21,7 +20,6 @@ import com.ruoyi.common.utils.StringUtils;
  * 
  * @author ruoyi
  */
-@WebFilter(filterName = "xssFilter", urlPatterns = "/system/*")
 public class XssFilter implements Filter
 {
     /**
@@ -32,14 +30,14 @@ public class XssFilter implements Filter
     /**
      * xss过滤开关
      */
-    public boolean xssEbabled = false;
+    public boolean enabled = false;
 
     @Override
     public void init(FilterConfig filterConfig) throws ServletException
     {
         String tempExcludes = filterConfig.getInitParameter("excludes");
-        String tempXssEbabled = filterConfig.getInitParameter("xssEbabled");
-        if (tempExcludes != null)
+        String tempEnabled = filterConfig.getInitParameter("enabled");
+        if (StringUtils.isNotEmpty(tempExcludes))
         {
             String[] url = tempExcludes.split(",");
             for (int i = 0; url != null && i < url.length; i++)
@@ -47,9 +45,9 @@ public class XssFilter implements Filter
                 excludes.add(url[i]);
             }
         }
-        if (StringUtils.isNotEmpty(tempXssEbabled))
+        if (StringUtils.isNotEmpty(tempEnabled))
         {
-            xssEbabled = Boolean.valueOf(tempXssEbabled);
+            enabled = Boolean.valueOf(tempEnabled);
         }
     }
 
@@ -70,13 +68,13 @@ public class XssFilter implements Filter
 
     private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response)
     {
-        if (excludes == null || excludes.isEmpty())
+        if (!enabled)
         {
-            return false;
+            return true;
         }
-        if (!xssEbabled)
+        if (excludes == null || excludes.isEmpty())
         {
-            return true;
+            return false;
         }
         String url = request.getServletPath();
         for (String pattern : excludes)

src/main/java/com/ruoyi/framework/config/FilterConfig.java

@@ -2,10 +2,12 @@ package com.ruoyi.framework.config;
 
 import java.util.Map;
 import javax.servlet.DispatcherType;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import com.google.common.collect.Maps;
+import com.ruoyi.common.utils.StringUtils;
 import com.ruoyi.common.xss.XssFilter;
 
 /**
@@ -16,6 +18,15 @@ import com.ruoyi.common.xss.XssFilter;
 @Configuration
 public class FilterConfig
 {
+    @Value("${xss.enabled}")
+    private String enabled;
+
+    @Value("${xss.excludes}")
+    private String excludes;
+
+    @Value("${xss.urlPatterns}")
+    private String urlPatterns;
+
     @SuppressWarnings({ "rawtypes", "unchecked" })
     @Bean
     public FilterRegistrationBean xssFilterRegistration()
@@ -23,12 +34,12 @@ public class FilterConfig
         FilterRegistrationBean registration = new FilterRegistrationBean();
         registration.setDispatcherTypes(DispatcherType.REQUEST);
         registration.setFilter(new XssFilter());
-        registration.addUrlPatterns("/*");
+        registration.addUrlPatterns(StringUtils.split(urlPatterns, ","));
         registration.setName("xssFilter");
         registration.setOrder(Integer.MAX_VALUE);
         Map<String, String> initParameters = Maps.newHashMap();
-        initParameters.put("excludes", "/system/notice/*,/img/*,/css/*,/fonts/*,/js/*,/ajax/*,/ruoyi/*");
-        initParameters.put("xssEbabled", "false");
+        initParameters.put("excludes", excludes);
+        initParameters.put("enabled", enabled);
         registration.setInitParameters(initParameters);
         return registration;
     }

src/main/java/com/ruoyi/framework/config/ShiroConfig.java

@@ -46,8 +46,8 @@ public class ShiroConfig
     private int validationInterval;
 
     // 验证码开关
-    @Value("${shiro.user.captchaEbabled}")
-    private boolean captchaEbabled;
+    @Value("${shiro.user.captchaEnabled}")
+    private boolean captchaEnabled;
 
     // 验证码类型
     @Value("${shiro.user.captchaType}")
@@ -297,7 +297,7 @@ public class ShiroConfig
     public CaptchaValidateFilter captchaValidateFilter()
     {
         CaptchaValidateFilter captchaValidateFilter = new CaptchaValidateFilter();
-        captchaValidateFilter.setCaptchaEbabled(captchaEbabled);
+        captchaValidateFilter.setCaptchaEnabled(captchaEnabled);
         captchaValidateFilter.setCaptchaType(captchaType);
         return captchaValidateFilter;
     }

src/main/java/com/ruoyi/framework/shiro/web/filter/captcha/CaptchaValidateFilter.java

@@ -20,16 +20,16 @@ public class CaptchaValidateFilter extends AccessControlFilter
     /**
      * 是否开启验证码
      */
-    private boolean captchaEbabled = true;
+    private boolean captchaEnabled = true;
 
     /**
      * 验证码类型
      */
     private String captchaType = "math";
 
-    public void setCaptchaEbabled(boolean captchaEbabled)
+    public void setCaptchaEnabled(boolean captchaEnabled)
     {
-        this.captchaEbabled = captchaEbabled;
+        this.captchaEnabled = captchaEnabled;
     }
 
     public void setCaptchaType(String captchaType)
@@ -40,7 +40,7 @@ public class CaptchaValidateFilter extends AccessControlFilter
     @Override
     public boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception
     {
-        request.setAttribute(ShiroConstants.CURRENT_EBABLED, captchaEbabled);
+        request.setAttribute(ShiroConstants.CURRENT_ENABLED, captchaEnabled);
         request.setAttribute(ShiroConstants.CURRENT_TYPE, captchaType);
         return super.onPreHandle(request, response, mappedValue);
     }
@@ -51,7 +51,7 @@ public class CaptchaValidateFilter extends AccessControlFilter
     {
         HttpServletRequest httpServletRequest = (HttpServletRequest) request;
         // 验证码禁用 或不是表单提交 允许访问
-        if (captchaEbabled == false || !"post".equals(httpServletRequest.getMethod().toLowerCase()))
+        if (captchaEnabled == false || !"post".equals(httpServletRequest.getMethod().toLowerCase()))
         {
             return true;
         }

src/main/resources/application.yml

@@ -40,6 +40,7 @@ spring:
   thymeleaf:
     mode: HTML
     encoding: utf-8
+    # 禁用缓存
     cache: false
   messages:
     #国际化资源文件路径
@@ -82,7 +83,7 @@ shiro:
     # 首页地址
     indexUrl: /index
     # 验证码开关
-    captchaEbabled: true
+    captchaEnabled: true
     # 验证码类型 math 数组计算 char 字符
     captchaType: math
   cookie:
@@ -101,6 +102,14 @@ shiro:
     dbSyncPeriod: 1
     # 相隔多久检查一次session的有效性，默认就是10分钟
     validationInterval: 10
+# 防止XSS攻击
+xss: 
+  # 过滤开关
+  enabled: true
+  # 排除链接（多个用逗号分隔）
+  excludes: /system/notice/*
+  # 匹配链接
+  urlPatterns: /system/*,/monitor/*,/tool/*
 # 代码生成
 gen: 
   # 作者

src/main/resources/templates/login.html

@@ -50,7 +50,7 @@
                     <p class="m-t-md">你若不离不弃，我必生死相依</p>
                     <input type="text"     name="username" class="form-control uname"     placeholder="用户名" value="admin"    />
                     <input type="password" name="password" class="form-control pword m-b" placeholder="密码"   value="admin123" />
-					<div class="row" th:if="${captchaEbabled==true}">
+					<div class="row" th:if="${captchaEnabled==true}">
 						<div class="col-xs-6">
 						    <input type="text" name="validateCode" class="form-control code" placeholder="验证码" maxlength="5">
 						</div>