1、增加 application/json 参数处理XyRequestWrapper
2、程序中增加 sql注入拦截器RefererFilter
3、web.xml 配置拦截器

  
  <filter>
      <filter-name>filter_web</filter-name>  
      <filter-class>com.bhne.web.servlet.RefererFilter</filter-class>  
      <init-param>  
          <param-name>charset</param-name>  
          <param-value>UTF-8</param-value>  
      </init-param>  
      <init-param>  
          <param-name>contentType</param-name>  
          <param-value>text/html;charset=UTF-8</param-value>  
      </init-param>
  </filter>  
  <filter-mapping>  
      <filter-name>filter_web</filter-name>  
      <url-pattern>*.call</url-pattern>  
  </filter-mapping>

XyRequestWrapper

package com.bhne.web.servlet;

import com.alibaba.fastjson.JSONObject;


import org.apache.commons.codec.Charsets;
import org.apache.cxf.common.util.StringUtils;

import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.*;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;

/**
 * Created by fuwenshen
 * Date:2018/10/26
 * Time:12:21
 */
public class XyRequestWrapper extends HttpServletRequestWrapper {
    private String body;
    public XyRequestWrapper(HttpServletRequest request) throws IOException {
        super(request);
        StringBuilder stringBuilder = new StringBuilder();
        BufferedReader bufferedReader = null;
        try {
            InputStream inputStream = request.getInputStream();
            if (inputStream != null) {
                bufferedReader = new BufferedReader(new InputStreamReader(inputStream,"UTF-8"));
                char[] charBuffer = new char[128];
                int bytesRead = -1;
                while ((bytesRead = bufferedReader.read(charBuffer)) > 0) {
                    stringBuilder.append(charBuffer, 0, bytesRead);
                }
            } else {
                stringBuilder.append("");
            }
        } catch (IOException ex) {
            throw ex;
        } finally {
            if (bufferedReader != null) {
                try {
                    bufferedReader.close();
                } catch (IOException ex) {
                    throw ex;
                }
            }
        }
        body = stringBuilder.toString();
    }

    @Override
    public ServletInputStream getInputStream() throws IOException {
        final ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(body.getBytes("UTF-8"));
        ServletInputStream servletInputStream = new ServletInputStream() {

            @Override
            public int read() throws IOException {
                return byteArrayInputStream.read();
            }
        };
        return servletInputStream;
    }

    @Override
    public BufferedReader getReader() throws IOException {
        return new BufferedReader(new InputStreamReader(this.getInputStream(), Charsets.UTF_8));
    }

    public String getBody() {
        return this.body;
    }

    @Override
    public String getParameter(String name) {
        return super.getParameter(name);
    }

    @Override
    public Map<String, String[]> getParameterMap() {
        return super.getParameterMap();
    }

    @Override
    public Enumeration<String> getParameterNames() {
        return super.getParameterNames();
    }

    @Override
    public String[] getParameterValues(String name) {
        return super.getParameterValues(name);
    }

    /**
     * 设置自定义post参数 //
     *
     * @param paramMaps
     * @return
     */
    public void setParamsMaps(Map paramMaps) {
        Map paramBodyMap = new HashMap();
        if (!StringUtils.isEmpty(body)) {
            paramBodyMap = JSONObject.parseObject(body, Map.class);
        }
        paramBodyMap.putAll(paramMaps);
        body = JSONObject.toJSONString(paramBodyMap);
    }
}

RefererFilter

package com.bhne.web.servlet;

import java.io.IOException;
import java.util.*;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import cn.hutool.core.map.MapUtil;
import cn.hutool.core.util.StrUtil;

import cn.hutool.json.JSONObject;
import cn.hutool.json.JSONUtil;
import com.alibaba.fastjson.JSON;
import net.sf.json.JSONArray;
import org.springframework.web.multipart.MultipartHttpServletRequest;
import org.springframework.web.multipart.MultipartResolver;
import org.springframework.web.multipart.commons.CommonsMultipartResolver;

public class RefererFilter implements Filter {
    //销毁r
    @Override
    public void destroy() {

    }

    @Override
    public void doFilter(ServletRequest arg0, ServletResponse arg1, FilterChain arg2) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) arg0;
        HttpServletResponse httpServletResponse = (HttpServletResponse) arg1;
        String url = ((HttpServletRequest)arg0).getRequestURI();




        String contentType =  ((HttpServletRequest)arg0).getContentType();
        if (contentType != null && contentType.contains("multipart/form-data")) {
            MultipartResolver resolver = new CommonsMultipartResolver(((HttpServletRequest)arg0).getSession().getServletContext());
            MultipartHttpServletRequest multipartRequest = resolver.resolveMultipart((HttpServletRequest) arg0);
            // 将转化后的 request 放入过滤链中
            arg0 = multipartRequest;
        }



        System.out.println("==========================================");
        System.out.println(url);
        Map<String, String[]> map = arg0.getParameterMap();
        Enumeration<String> names1 = httpServletRequest.getParameterNames();
        System.out.println(names1.toString());
        System.out.println("===============================================");
        String referer = ((HttpServletRequest)arg0).getHeader("Referer");

        // 防止流读取一次后就没有了, 所以需要将流继续写出去
        XyRequestWrapper requestWrapper = new XyRequestWrapper(httpServletRequest);
        String body = requestWrapper.getBody();
        Map<String, String[]> parameterMap = requestWrapper.getParameterMap();
        if(StrUtil.isNotBlank(body)&&JSONUtil.isJson(body)){
            JSONObject jsonObject = JSONUtil.parseObj(body);
            Collection<Object> values = jsonObject.values();

            for (Map.Entry<String, Object> entry : jsonObject.entrySet()) {
                String value = (String) entry.getValue();
                if(judgeSQLInject(value.toLowerCase())){
                    arg1.setContentType("text/html;charset=UTF-8");
                    arg1.getWriter().print("参数含有非法字符!");
                    return;
                }
            }


        }


        //System.out.println(referer);
        if(!url.contains("app") && (referer==null || !referer.contains("xjpwqgcglpt"))){
            arg1.getWriter().write("<script language='javascript'>top.location='/xjpwqgcglpt/html_base/404.htm';</script>");
        }else{
            
            if(!url.contains("app") && !url.contains("login") && !url.contains("charts")){
                HttpSession session=((HttpServletRequest)arg0).getSession();
                if(session.getAttribute("user")==null){
                    HttpServletResponse rep = (HttpServletResponse) arg1;
                    rep.setHeader("sessionstatus", "timeout");
                    return;
                }
            }

            arg0.getParameterMap();
            Enumeration<String> names = arg0.getParameterNames();
            while(names.hasMoreElements()){
                String name = names.nextElement();
                String[] values = arg0.getParameterValues(name);
                for(String value: values){
                    //sql注入直接拦截
                    if(judgeSQLInject(value.toLowerCase())){
                        arg1.setContentType("text/html;charset=UTF-8");
                        arg1.getWriter().print("参数含有非法字符!");
                        return;
                    }
                }
            }


            arg2.doFilter(arg0, arg1);
            
            /*if(url.contains("appCheckVersion") || url.contains("app_pd_login") || url.contains("appGetPlanMapDistributionNew") || url.contains("app_selectStatusByUser_self")){
                arg2.doFilter(arg0, arg1);
            }else{
                if(url.contains("app")){
                    JSONObject retJo = new JSONObject();
                    retJo.put("code", 0);
                    retJo.put("msg", "请更新至最新版APP!");
                    arg1.getWriter().write(retJo.toString());
                }else{
                    JSONObject jo = new JSONObject();
                    jo.put("status", "failure");
                    jo.put("number", 3);
                    jo.put("msg", "请使用新的登录地址!");
                    arg1.getWriter().write(jo.toString());
                }
            }*/
        }
    }
    
    
    
    /** 
     * 判断参数是否含有攻击串 
     * @param value 
     * @return 
     */  
    public boolean judgeSQLInject(String value){  
        if(value == null || "".equals(value)){  
            return false;  
        }  
        //String xssStr = "and|or|select|update|delete|drop|truncate|%20|=|-|--|;|'|%|#|+|,|//|/| |\\|!=|(|)";
        String xssStr = "select|update|delete|drop|truncate|'";
        String[] xssArr = xssStr.split("\\|");  
        for(int i=0;i<xssArr.length;i++){
            boolean update_ = !value.contains("update_");
            if(value.indexOf(xssArr[i])>-1&&update_){

                return true;
            }
        }
        return false;  
    }
    
    //初始化
    public void init(FilterConfig arg0) throws ServletException {

    }

}