feature: Add http request filter for seata-server

[YvCeung]

• I have registered the PR changes.

Ⅰ. Describe what this PR did

1. Add filter logic for http requests from netty
2. Not only does it support XSSFilter, but it also reserves expansion points to facilitate the easy integration of other types of filters in the future
3. Add a new filter system configuration item to flexibly enable the on state of the relevant filters

新增针对来自netty的http请求的过滤器逻辑
不仅仅是支持了XSSFilter，同时预留了扩展点，以便未来轻松接入其他类型的过滤器
新增过滤器系统配置项，以便灵活启用相关过滤器的开启状态

Ⅱ. Does this pull request fix one issue?

fix #7409

Ⅲ. Why don't you add test cases (unit test/integration test)?

Ⅳ. Describe how to verify it

mvn clean test

Ⅴ. Special notes for reviews

1. Support the parsing logic for filtering four types of parameters: Query, Form, JSON, and Header: The original Seata Server only supported the POST parameter of the form type and did not support the request Body of the JSON type. This modification supplemented the parsing capability of the JSON Body parameter and enhanced the compatibility of the filter for multi-format request bodies to adapt to the parsing of the JSON type request body by the future SeATA-Server

2. Support the execution of filters in a custom order

3. Execution link
   

支持过滤 Query、Form、JSON、Header 四类参数的解析逻辑：原 Seata Server 仅支持表单类型 POST 参数，不支持 JSON 类型请求体，本次改动补充 JSON Body 参数解析能力，增强过滤器对多格式请求体的兼容性以适应未来seata-server对JSON类型请求体的解析

支持 filter 按照自定义顺序执行

其他:

关于XSSHttpRequestFilter判定非法字符的逻辑的一些简单补充

一、背景：

第一版的代码，对 HTTP 请求参数进行 XSS 防御时，使用了一个基于正则表达式的事件处理器检测逻辑，比如拦截onload="..."、onclick="..." 这样的 XSS 注入点。

但CodeQL提示这种写法存在两个典型安全风险：

1. 正则表达式灾难性回溯 (ReDoS)
   攻击者可以通过精心构造如 "ononononononon..." 这样的大量重复前缀，诱发正则引擎在回溯时消耗过多 CPU，导致服务 hang 死或响应超时，形成拒绝服务攻击。

2. 超长事件名绕过问题
   为了解决 ReDoS，原正则表达式做了长度限制（如 {0,50}），但这样又带来了另一个问题：
   如果攻击者故意写一个超长非法事件名（比如 onXXXXXXXXXXXXXXXXXXX....=），就可能绕过正则匹配，不会被拦截。

二、改造原因：

为了同时解决 性能风险 和 安全漏判，后来对 XSS 关键词检测逻辑进行两方面的改造：

1. 在正则表达式层面加入最大长度约束
   限制事件名最长不超过一定字符数，防止正则在超长文本上死回溯。

2. 在正则匹配成功后，追加一层代码逻辑校验：
   无论正则命中与否，都对提取到的事件名进行显式长度判断，只要长度超过预设阈值，也直接视为非法，强制拦截。

三、防护原理：

最终的防护方案如下：

• 第一层防护：正则长度限制
  通过对事件名部分加 {0,50} 限制，让正则引擎在遇到超长字符串时快速 fail-fast，防止回溯消耗。（这个长度暂定是50，后面根据业务需要可以调整）

• 第二层防护：事件名长度二次校验
  即便正则命中了较短片段，也通过 .group(1) 获取事件名长度后，再次判断是否超出安全阈值（如 50 字符）。
  一旦超长，立即判定为高风险，抛异常拒绝。

• 第三层防护：快速短路 + 单次匹配
  每次正则 matcher.find() 命中后，逻辑上只处理第一个匹配项，不继续多次 find，避免多次匹配对大输入文本消耗资源。

[codecov]

Codecov Report

Attention: Patch coverage is 64.03162% with 91 lines in your changes missing coverage. Please review.

Project coverage is 60.51%. Comparing base (608785f) to head (a91f0f5).
Report is 1 commits behind head on 2.x.

Files with missing lines	Patch %	Lines
...rpc/netty/http/filter/HttpRequestParamWrapper.java	53.70%	45 Missing and 5 partials ⚠️
...ache/seata/server/filter/XSSHttpRequestFilter.java	66.66%	10 Missing and 4 partials ⚠️
...a/org/apache/seata/common/util/HttpClientUtil.java	0.00%	13 Missing ⚠️
...seata/core/rpc/netty/http/HttpDispatchHandler.java	66.66%	4 Missing ⚠️
.../core/rpc/netty/http/filter/HttpFilterContext.java	72.72%	1 Missing and 2 partials ⚠️
...ata/core/exception/HttpRequestFilterException.java	50.00%	2 Missing ⚠️
...pc/netty/http/filter/HttpRequestFilterManager.java	89.47%	1 Missing and 1 partial ⚠️
...he/seata/core/rpc/netty/http/Http2HttpHandler.java	83.33%	1 Missing ⚠️
.../core/rpc/netty/http/filter/HttpRequestFilter.java	0.00%	1 Missing ⚠️
...server/spring/listener/HttpFilterInitListener.java	83.33%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##                2.x    #7485      +/-   ##
============================================
+ Coverage     60.50%   60.51%   +0.01%     
  Complexity      656      656              
============================================
  Files          1298     1307       +9     
  Lines         49081    49334     +253     
  Branches       5771     5800      +29     
============================================
+ Hits          29697    29856     +159     
- Misses        16751    16837      +86     
- Partials       2633     2641       +8     

Files with missing lines	Coverage Δ
...ava/org/apache/seata/common/ConfigurationKeys.java	0.00% <ø> (ø)
...in/java/org/apache/seata/common/DefaultValues.java	100.00% <100.00%> (ø)
...ta/core/rpc/netty/http/BaseHttpChannelHandler.java	100.00% <100.00%> (ø)
.../rpc/netty/http/filter/HttpRequestFilterChain.java	100.00% <100.00%> (ø)
...ta/spring/boot/autoconfigure/StarterConstants.java	100.00% <ø> (ø)
...configure/SeataServerEnvironmentPostProcessor.java	100.00% <100.00%> (ø)
...ties/server/filter/ServerHttpFilterProperties.java	100.00% <100.00%> (ø)
...he/seata/core/rpc/netty/http/Http2HttpHandler.java	64.15% <83.33%> (+1.15%)	⬆️
.../core/rpc/netty/http/filter/HttpRequestFilter.java	0.00% <0.00%> (ø)
...server/spring/listener/HttpFilterInitListener.java	83.33% <83.33%> (ø)
... and 7 more

... and 8 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[YvCeung]

@funky-eyes PTAL

[funky-eyes]

@funky-eyes PTAL

Please resolve the code conflicts and make this PR's functionality cover both HTTP and HTTP2.

[YvCeung]

@funky-eyes PTAL

Please resolve the code conflicts and make this PR's functionality cover both HTTP and HTTP2.

done

[funky-eyes]

LGTM

[funky-eyes]

https://github.com/apache/incubator-seata/blob/2.x/script/config-center/config.txt
https://github.com/apache/incubator-seata/blob/2.x/server/src/main/resources/application.example.yml
https://github.com/apache/incubator-seata/blob/2.x/server/src/main/resources/application.raft.example.yml
Please add the newly added configuration to the above setup.

[YvCeung]

https://github.com/apache/incubator-seata/blob/2.x/script/config-center/config.txt https://github.com/apache/incubator-seata/blob/2.x/server/src/main/resources/application.example.yml https://github.com/apache/incubator-seata/blob/2.x/server/src/main/resources/application.raft.example.yml Please add the newly added configuration to the above setup.

done