jfinal 4.5

src/main/java/com/jfinal/config/Constants.java

@@ -57,6 +57,8 @@ final public class Constants {
 	private ControllerFactory controllerFactory = Const.DEFAULT_CONTROLLER_FACTORY;
 	private int configPluginOrder = Const.DEFAULT_CONFIG_PLUGIN_ORDER;
 	
+	private boolean denyAccessJsp = true;	// 默认拒绝直接访问 jsp 文件
+	
 	private ITokenCache tokenCache = null;
 	
 	/**
@@ -395,6 +397,14 @@ final public class Constants {
 	public int getFreeMarkerTemplateUpdateDelay() {
 		return freeMarkerTemplateUpdateDelay;
 	}
+	
+	public void setDenyAccessJsp(boolean denyAccessJsp) {
+		this.denyAccessJsp = denyAccessJsp;
+	}
+	
+	public boolean getDenyAccessJsp() {
+		return denyAccessJsp;
+	}
 }
 
 

src/main/java/com/jfinal/core/JFinalFilter.java

@@ -96,6 +96,11 @@ public class JFinalFilter implements Filter {
 		}
 		
 		if (isHandled[0] == false) {
+			// 默认拒绝直接访问 jsp 文件，加固 tomcat、jetty 安全性
+			if (constants.getDenyAccessJsp() && isJsp(target)) {
+				return ;
+			}
+			
 			chain.doFilter(request, response);
 		}
 	}
@@ -126,4 +131,29 @@ public class JFinalFilter implements Filter {
 	static void initLog() {
 		log = Log.getLog(JFinalFilter.class);
 	}
+	
+	boolean isJsp(String t) {
+		char c;
+		int end = t.length() - 1;
+		
+		if ( (end > 3) && ((c = t.charAt(end)) == 'x' || c == 'X') ) {
+			end--;
+		}
+		
+		if ( (end > 2) && ((c = t.charAt(end)) == 'p' || c == 'P') ) {
+			end--;
+			if ( (end > 1) && ((c = t.charAt(end)) == 's' || c == 'S') ) {
+				end--;
+				if ( (end > 0) && ((c = t.charAt(end)) == 'j' || c == 'J') ) {
+					end--;
+					if ( (end > -1) && ((c = t.charAt(end)) == '.') ) {
+						System.out.println("找到 jsp 文件 : " + t);
+						return true;
+					}
+				}
+			}
+		}
+		
+		return false;
+	}
 }