package com.esen.eweb.webinit;

import com.esen.eweb.ClientResult;
import com.esen.eweb.web.SecurityFilterConfig;
import com.esen.util.ExceptionHandler;
import com.esen.util.StrFunc;
import com.esen.util.i18n.I18N;
import com.esen.util.security.SecurityFunc;
import java.io.IOException;
import java.util.Enumeration;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Configuration;

@Configuration
/* loaded from: input_file:com/esen/eweb/webinit/FilterSecurityCheck.class */
public class FilterSecurityCheck implements Filter, RefreshApplicationContextEvent {
    private static final Logger log = LoggerFactory.getLogger(FilterSecurityCheck.class);
    private SecurityFilterConfig securityFilterConfig;

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        String requestURI_withoutContextPath;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (!this.securityFilterConfig.isEnable()) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        String prop = this.securityFilterConfig.getProp("X-Frame-Options");
        if (!StrFunc.isNull(prop)) {
            httpServletResponse.setHeader("X-Frame-Options", prop);
        }
        String prop2 = this.securityFilterConfig.getProp("X-XSS-Protection");
        if (!StrFunc.isNull(prop2)) {
            httpServletResponse.addHeader("X-XSS-Protection", prop2);
        }
        String prop3 = this.securityFilterConfig.getProp("X-Content-Type-Options");
        if (!StrFunc.isNull(prop3)) {
            httpServletResponse.addHeader("X-Content-Type-Options", prop3);
        }
        String prop4 = this.securityFilterConfig.getProp("Strict-Transport-Security");
        if (!StrFunc.isNull(prop4)) {
            httpServletResponse.addHeader("Strict-Transport-Security", prop4);
        }
        try {
            String header = httpServletRequest.getHeader("Referer");
            if (!StrFunc.isNull(header)) {
                String scheme = httpServletRequest.getScheme();
                String serverName = httpServletRequest.getServerName();
                if (!StrFunc.isNull(scheme) && !StrFunc.isNull(serverName) && header.indexOf("://" + serverName) <= 0) {
                    log.error(I18N.getString("com.esen.eweb.webinit.filtersecuritycheck.referernotstarts", "Referer和请求地址不一致。referer:{0}, scheme:{1}, servername:{2}, url:{3}", new Object[]{header, scheme, serverName, httpServletRequest.getRequestURL().toString()}));
                    ExceptionHandler.throwRuntimeException("com.esen.eweb.webinit.filtersecuritycheck.refernourl", "Referer和请求地址不一致");
                }
            }
            requestURI_withoutContextPath = getRequestURI_withoutContextPath(httpServletRequest);
        } catch (Exception e) {
            if (isAjaxRequest(httpServletRequest)) {
                ClientResult clientResult = ClientResult.getInstance(httpServletRequest, httpServletResponse);
                try {
                    if (this.securityFilterConfig.isIncludeStacktrace()) {
                        clientResult.setResultException(e);
                    } else {
                        clientResult.setResultError(StrFunc.null2blank(e.getLocalizedMessage()));
                    }
                    clientResult.writeTo(httpServletRequest, httpServletResponse);
                    return;
                } catch (Exception e2) {
                    log.error(I18N.getString("com.esen.eweb.webinit.filtersecuritycheck.dealajaxerror", "处理ajax请求时出现异常"), e2);
                }
            } else {
                ExceptionHandler.rethrowRuntimeException(e);
            }
        }
        if (!requestURI_withoutContextPath.endsWith(".do")) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        String securityfilterParams = this.securityFilterConfig.getSecurityfilterParams(requestURI_withoutContextPath);
        Enumeration parameterNames = httpServletRequest.getParameterNames();
        while (parameterNames.hasMoreElements()) {
            String str = (String) parameterNames.nextElement();
            String parameter = httpServletRequest.getParameter(str);
            boolean z = false;
            if (!StrFunc.isNull(securityfilterParams)) {
                String[] split = securityfilterParams.split(",");
                int i = 0;
                int length = split.length;
                while (true) {
                    if (i >= length) {
                        break;
                    }
                    if (StrFunc.compareStr(split[i], str)) {
                        z = true;
                        break;
                    }
                    i++;
                }
            }
            if (!z) {
                checkSecurityParam(str, parameter);
            }
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    private void checkSecurityParam(String str, String str2) {
        SecurityFilterConfig securityFilterConfig = this.securityFilterConfig;
        if (SecurityFilterConfig.SCRIPT_XSS.matcher(str2).matches()) {
            ExceptionHandler.throwRuntimeException("com.esen.eweb.webinit.filtersecuritycheck.requestparamisillegal", "请求参数[{0}]中的参数值含有非法标签格式。", new Object[]{str});
        }
        if (this.securityFilterConfig.getSensitiveWordsPattern().matcher(str2).matches()) {
            ExceptionHandler.throwRuntimeException("com.esen.eweb.webinit.filtersecuritycheck.requestparamhavesensitivewords", "请求参数[{0}]中的参数值含有敏感词，请输入不含敏感词的参数。", new Object[]{str});
        }
    }

    private String getRequestURI_withoutContextPath(HttpServletRequest httpServletRequest) {
        String filterUrl = SecurityFunc.filterUrl(httpServletRequest.getRequestURI());
        if (filterUrl != null && filterUrl.indexOf("//") > -1) {
            filterUrl = filterUrl.replaceAll("//+", "/");
        }
        String contextPath = httpServletRequest.getContextPath();
        return (contextPath == null || contextPath.length() <= 1) ? filterUrl : filterUrl.substring(contextPath.length());
    }

    private boolean isAjaxRequest(HttpServletRequest httpServletRequest) {
        return "XMLHttpRequest".equalsIgnoreCase(httpServletRequest.getHeader("X_REQUESTED_WITH"));
    }

    public void destroy() {
    }

    @Override // com.esen.eweb.webinit.RefreshApplicationContextEvent
    public void refreshContext(ApplicationContext applicationContext) {
        this.securityFilterConfig = (SecurityFilterConfig) applicationContext.getBean(SecurityFilterConfig.class);
    }
}
