您不能转换
HttpServletRequest为
MultipartHttpServletRequest,因为您首先必须解决您的请求。
我使用
CommonsMultipartResolverClass并
MultipartHttpServletRequest使用
commonsMultipartResolver.resolveMultipart(request)其中request是type的方法
HttpServletRequest。
因此,这是我的 CSRF 类
checkPostedCsrfToken()方法:
private boolean checkPostedCsrfToken() { if (request.getParameterMap().containsKey("csrf")) { String csrf = request.getParameter("csrf"); if (csrf.equals(request.getSession().getAttribute("csrf"))) { return true; } } else if (request.getContentType() != null && request.getContentType().toLowerCase().contains("multipart/form-data")) { CommonsMultipartResolver commonsMultipartResolver = new CommonsMultipartResolver(); MultipartHttpServletRequest multipartRequest = commonsMultipartResolver.resolveMultipart(request); if (multipartRequest.getParameterMap().containsKey("csrf")) { String csrf = multipartRequest.getParameter("csrf"); if (csrf.equals(request.getSession().getAttribute("csrf"))) { return true; } } } log(); return false; }但是,请注意,您将丢失所有请求参数和数据。因此,您必须扩展
HttpServletRequestWrapper类以读取请求字节,并使用它们获取参数,如果对您而言重要的是参数不会丢失抛出筛选器链。
这是我在StackOverflow中找到的一个好帮手类,(我再也找不到问题了,如果找到它,我将对其进行编辑)。
MultiReadHttpServletRequest
public class MultiReadHttpServletRequest extends HttpServletRequestWrapper { private ByteArrayOutputStream cachedBytes; public MultiReadHttpServletRequest(HttpServletRequest request) { super(request); } @Override public ServletInputStream getInputStream() throws IOException { if (cachedBytes == null) cacheInputStream(); return new CachedServletInputStream(); } @Override public BufferedReader getReader() throws IOException{ return new BufferedReader(new InputStreamReader(getInputStream())); } private void cacheInputStream() throws IOException { cachedBytes = new ByteArrayOutputStream(); IOUtils.copy(super.getInputStream(), cachedBytes); } public class CachedServletInputStream extends ServletInputStream { private ByteArrayInputStream input; public CachedServletInputStream() { input = new ByteArrayInputStream(cachedBytes.toByteArray()); } @Override public int read() throws IOException { return input.read(); } }}现在您要做的就是在filter中使用
MultiReadHttpServletRequest而不是normal
HttpServletRequest:
public class CSRFilter extends GenericFilterBean { @Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; MultiReadHttpServletRequest multiReadHttpServletRequest = new MultiReadHttpServletRequest(request); CSRF csrf = new CSRF(multiReadHttpServletRequest); if(csrf.isOk()){ chain.doFilter(multiReadHttpServletRequest, res); }else { //todo : Show Error Page String redirect = request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort() + request.getContextPath() + "/access-forbidden"; response.sendRedirect(redirect); } }}我希望这可以帮助某人:)
