用spring aop有个限制就是被aop拦截的方法被this对象的另一个方法调用会绕过aop

@Aidan
这是我提交给xwork的,看你的需求就知道这个功能就是为这个打造的

请使用@InputConfig

public class DownloadController extends ActionSupport {

@InputConfig(methodName="inputIndex")
//@InputConfig(resultName="input")
public String index() {
System.out.println("-------index-----------");
return "xx";
}

public void validateIndex() {
addFieldError("hell", ".my hello.");
System.out.println("ok");
}

public string inputIndex() {
return "input";
}
}

当然可以,只要异构数据库也支持xa接口

import java.util.regex.Matcher;
import java.util.regex.Pattern;

import org.apache.oro.text.regex.PatternCompiler;
import org.apache.oro.text.regex.PatternMatcher;
import org.apache.oro.text.regex.Perl5Compiler;
import org.apache.oro.text.regex.Perl5Matcher;
import org.apache.oro.text.regex.Perl5Substitution;
import org.apache.oro.text.regex.Util;

public class AntiXSS {
static final Pattern SCRIPT_TAG_PATTERN = Pattern.compile(
"<script[^>]*>.*</script[^>]*>", Pattern.CASE_INSENSITIVE);

static final PatternCompiler pc = new Perl5Compiler();
static final PatternMatcher matcher = new Perl5Matcher();

// http://www.bitscn.com/hack/young/200708/108278.html
public static String antiXSS(String content) {
String old = content;
String ret = _antiXSS(content);
while (!ret.equals(old)) {
old = ret;
ret = _antiXSS(ret);
}
return ret;
}

private static String _antiXSS(String content) {
try {
return stripAllowScriptAccess(stripProtocol(stripCssExpression(stripAsciiAndHex(stripEvent(stripScriptTag(content))))));
} catch (Exception e) {
e.printStackTrace();
return null;
}
}

private static String stripScriptTag(String content) {
Matcher m = SCRIPT_TAG_PATTERN.matcher(content);
content = m.replaceAll("");
return content;
}

private static String stripEvent(String content) throws Exception {
String[] events = { "onmouseover", "onmouseout", "onmousedown",
"onmouseup", "onmousemove", "onclick", "ondblclick",
"onkeypress", "onkeydown", "onkeyup", "ondragstart",
"onerrorupdate", "onhelp", "onreadystatechange", "onrowenter",
"onrowexit", "onselectstart", "onload", "onunload",
"onbeforeunload", "onblur", "onerror", "onfocus", "onresize",
"onscroll", "oncontextmenu" };
for (String event : events) {
org.apache.oro.text.regex.Pattern p = pc.compile("(<[^>]*)("
+ event + ")([^>]*>)", Perl5Compiler.CASE_INSENSITIVE_MASK);
if (null != p)
content = Util.substitute(matcher, p, new Perl5Substitution(
"$1" + event.substring(2) + "$3"), content,
Util.SUBSTITUTE_ALL);

}
return content;
}

private static String stripAsciiAndHex(String content) throws Exception {
// filter &# \00xx
org.apache.oro.text.regex.Pattern p = pc.compile(
"(<[^>]*)(&#|\\\\00)([^>]*>)",
Perl5Compiler.CASE_INSENSITIVE_MASK);
if (null != p)
content = Util
.substitute(matcher, p, new Perl5Substitution("$1$3"),
content, Util.SUBSTITUTE_ALL);
return content;
}

private static String stripCssExpression(String content) throws Exception {
org.apache.oro.text.regex.Pattern p = pc.compile(
"(<[^>]*style=.*)/\\*.*\\*/([^>]*>)",
Perl5Compiler.CASE_INSENSITIVE_MASK);
if (null != p)
content = Util
.substitute(matcher, p, new Perl5Substitution("$1$2"),
content, Util.SUBSTITUTE_ALL);

p = pc
.compile(
"(<[^>]*style=[^>]+)(expression|javascript|vbscript|-moz-binding)([^>]*>)",
Perl5Compiler.CASE_INSENSITIVE_MASK);
if (null != p)
content = Util
.substitute(matcher, p, new Perl5Substitution("$1$3"),
content, Util.SUBSTITUTE_ALL);

p = pc.compile("(<style[^>]*>.*)/\\*.*\\*/(.*</style[^>]*>)",
Perl5Compiler.CASE_INSENSITIVE_MASK);
if (null != p)
content = Util
.substitute(matcher, p, new Perl5Substitution("$1$2"),
content, Util.SUBSTITUTE_ALL);

p = pc
.compile(
"(<style[^>]*>[^>]+)(expression|javascript|vbscript|-moz-binding)(.*</style[^>]*>)",
Perl5Compiler.CASE_INSENSITIVE_MASK);
if (null != p)
content = Util
.substitute(matcher, p, new Perl5Substitution("$1$3"),
content, Util.SUBSTITUTE_ALL);
return content;
}

private static String stripProtocol(String content) throws Exception {
String[] protocols = { "javascript", "vbscript", "livescript",
"ms-its", "mhtml", "data", "firefoxurl", "mocha" };
for (String protocol : protocols) {
org.apache.oro.text.regex.Pattern p = pc.compile("(<[^>]*)"
+ protocol + ":([^>]*>)",
Perl5Compiler.CASE_INSENSITIVE_MASK);
if (null != p)
content = Util.substitute(matcher, p, new Perl5Substitution(
"$1/$2"), content, Util.SUBSTITUTE_ALL);
}
return content;
}

private static String stripAllowScriptAccess(String content)
throws Exception {
org.apache.oro.text.regex.Pattern p = pc.compile(
"(<[^>]*)AllowScriptAccess([^>]*>)",
Perl5Compiler.CASE_INSENSITIVE_MASK);
if (null != p)
content = Util.substitute(matcher, p, new Perl5Substitution(
"$1Allow_Script_Access$2"), content, Util.SUBSTITUTE_ALL);
return content;
}

}

BeanSoft

css的expression没有过滤,ie下面可以运行
<img lowsrc="javascript:alert('XSS')"/>这个在ie下面可以自动运行,还有链接里面使用javascript:xxx等其他协议比如firefoxurl:xxx

thanks

对于new出来的domain object可以用spring和aspectj-weaver来注入依赖对象

UserValidatorWebBundle
org.riawork.demo.web.Activator
ServiceReference ref應該作為一個局部變量,因為org.eclipse.equinox.http停止然後重新開始會造成NPE
ref指向的還是原來的HttpService,下面得到的http為null
HttpService http = (HttpService) bc.getService(ref);
另外監聽HttpService的unregistering事件然後調用unregisterServlet方法沒必要,此時HttpService已經unregistered,取不到他的引用,沒法unregister Servlet,resources,我猜HttpService unregister的時候會自動unregister上面的servlet,resources


另外有個問題,黨註冊多個Service到一個名字的時候,根據這個名字取得Service的優先級是根據Bundle的名字排序,如何自己定制規則

@mixlee
两个application的classpath不一样,放在WEB-INF里面的lib是不能共享的,spring的ApplicationContext是跟具体的webapp相关的,当然不能做成全局的单例,只能做成一个ServletContext里面的单例

一直在关注这个系列的文章,谢谢楼主