Index: forgon-core/src/main/java/com/forgon/xss/filter/XSSFilter.java
===================================================================
diff -u -r34623 -r36131
--- forgon-core/src/main/java/com/forgon/xss/filter/XSSFilter.java	(.../XSSFilter.java)	(revision 34623)
+++ forgon-core/src/main/java/com/forgon/xss/filter/XSSFilter.java	(.../XSSFilter.java)	(revision 36131)
@@ -15,6 +15,8 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang3.StringUtils;
+
 import com.forgon.xss.request.XSSServletRequest;
 
 /**
@@ -38,6 +40,10 @@
 		System.out.println("request.getContentType()=" + request.getContentType());*/
 		XSSServletRequest xssRequest = new XSSServletRequest(httpServletRequest);
 		HttpServletResponse resp = (HttpServletResponse)response;
+		//处理接口泄露的问题,如果符合直接访问接口的情况则直接跳转至登录页面-DGSHLYY-28 存在接口泄露漏洞的问题
+		if(processInterfaceLeakage(xssRequest,resp)){
+			return;
+		}
 		//QYSRMYY-42 修复渗透测试扫描出来的存储型和反射型XSS漏洞(下面的代码可能会导致ie登录不成功,所以就将其注释掉)
 		/*Cookie[] cookies = xssRequest.getCookies();
 		if(cookies != null){
@@ -57,6 +63,40 @@
 		chain.doFilter(xssRequest, response);
 	}
 
+	/**
+	 * 处理访问以"services"为结尾的地址导致接口安全问题的处理(DGSHLYY-28 存在接口泄露漏洞的问题)
+	 * @param request 请求对象
+	 * @param response 响应对象
+	 */
+	private boolean processInterfaceLeakage(HttpServletRequest request,HttpServletResponse response){
+		String requestURI = request.getRequestURI();
+		if(StringUtils.isNotBlank(requestURI)){
+			String services = "services";
+			int index = requestURI.indexOf(services);
+			if(index > -1){
+				index += services.length();
+				String afterServices = requestURI.substring(index);
+				afterServices = afterServices.replaceAll("/", "");
+				//如果只是访问services的接口根路径如"http://ip:port/services"、"http://ip:port/services/"、"http://ip:port/services////"、"http://ip:port/services////\\\\"等则转向至登录页面,
+				//但如果是访问接口的services路径下的具体某个webservice地址时确保功能需正常
+				if(StringUtils.isBlank(afterServices)){
+					try {
+//						resp.setContentType("text/html;charset=UTF-8");
+//						resp.getWriter().write("<html><head><body><center><font color='red' size=5><b>该访问地址为非法访问地址,请确认访问地址是否正确</b></font><center></body></head></html>");
+						//resp.sendRedirect("/logon.jsp");
+						//httpServletRequest.setAttribute("message", "访问了不被允许的访问地址,跳转至登录页面");
+						request.getRequestDispatcher("/logon.jsp").forward(request, response);
+					} catch (Exception e) {
+						// TODO Auto-generated catch block
+						e.printStackTrace();
+					}
+					return true;
+				}
+			}
+		}
+		return false;
+	}
+
 	@Override
 	public void destroy() {