springboot 安全防火
来源:互联网 发布:淘宝黑科技产品 编辑:程序博客网 时间:2024/04/27 17:36
springboot
Listener Filter Servlet的执行顺序通常为: 监听器、过滤器、servlet
@RestController中的主Servlet都是DispatcherServlet,其默认的url-pattern为“/”。也可以自己添加Servlet,有2种方式:1)代码实现方式; 2)注解方式
代码实现方式: 通过ServletRegistrationBean、FilterRegistrationBean、ServletListenerRegistrationBean实现
实例:
package com.test.conf;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.context.embedded.ServletRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import com.test.servlet.TestServletByCode;
@Configuration
public class ServletRegistrationConf {
@Autowired
private TestServletByCode testServletByCode;
@Bean
public ServletRegistrationBean servletRegistrationBean() {
return new ServletRegistrationBean(testServletByCode, "/ts/testCodeServlet");
}
}
package com.test.servlet;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.stereotype.Service;
@Service
public class TestServletByCode extends HttpServlet{
private static final long serialVersionUID = -8685285401859800066L;
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
System.out.println("doGet====");
doPost(req, resp);
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
System.out.println("doPost===");
}
}
注解方式: 在 SpringBootApplication 上使用@ServletComponentScan 注解,Servlet、Filter、Listener 可以直接通过 @WebServlet、@WebFilter、@WebListener 注解自动注册
实例:
package com.test;
import org.springframework.boot.CommandLineRunner;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.web.servlet.ServletComponentScan;
@SpringBootApplication
@ServletComponentScan
public class MainApplication implements CommandLineRunner {
public static void main(String[] args) {
SpringApplication.run(MainApplication.class, args);
}
@Override
public void run(String... args) throws Exception {
System.out.println("spring boot running........");
}
}
package com.test.listener;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import javax.servlet.annotation.WebListener;
@WebListener
public class TestServletContextListener implements ServletContextListener{
@Override
public void contextInitialized(ServletContextEvent sce) {
System.out.println("ServletContex初始化");
System.out.println(sce.getServletContext().getServerInfo());
}
@Override
public void contextDestroyed(ServletContextEvent sce) {
System.out.println("ServletContex销毁");
}
}
package com.test.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
@WebFilter(urlPatterns="/*",filterName="testFilter")
public class TestFilterByAnnotation implements Filter {
@Override
public void destroy() {
System.out.println("过滤器销毁");
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
System.out.println("执行过滤操作");
chain.doFilter(request, response);
}
@Override
public void init(FilterConfig config) throws ServletException {
System.out.println("过滤器初始化");
}
}
package com.test.servlet;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@WebServlet(urlPatterns="/ts/testWebServlet", description="Servlet的说明")
public class TestServletByAnnotation extends HttpServlet{
private static final long serialVersionUID = -8685285401859800066L;
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
System.out.println("doGet*******");
doPost(req, resp);
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
System.out.println("doPost*********");
}
}
注:@ServletComponentScan在1.3版以后才有,需添加对应版本,如:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>1.4.0.RELEASE</version>
</dependency>
1、防xss
自定义Filter
我们常常在项目中会使用filters用于录调用日志、排除有XSS威胁的字符、执行权限验证等等。Spring Boot自动添加了OrderedCharacterEncodingFilter和HiddenHttpMethodFilter,并且我们可以自定义Filter。
两个步骤:
- 实现Filter接口,实现Filter方法
- 添加
@Configurationz注解,将自定义Filter加入过滤链
好吧,直接上代码
@Configurationpublic class WebConfiguration { @Bean public RemoteIpFilter remoteIpFilter() { return new RemoteIpFilter(); } @Bean public FilterRegistrationBean testFilterRegistration() { FilterRegistrationBean registration = new FilterRegistrationBean(); registration.setFilter(new MyFilter()); registration.addUrlPatterns("/*"); registration.addInitParameter("paramName", "paramValue"); registration.setName("MyFilter"); registration.setOrder(1); return registration; } public class MyFilter implements Filter { @Override public void destroy() { // TODO Auto-generated method stub } @Override public void doFilter(ServletRequest srequest, ServletResponse sresponse, FilterChain filterChain) throws IOException, ServletException { // TODO Auto-generated method stub HttpServletRequest request = (HttpServletRequest) srequest; System.out.println("this is MyFilter,url :"+request.getRequestURI()); filterChain.doFilter(srequest, sresponse); } @Override public void init(FilterConfig arg0) throws ServletException { // TODO Auto-generated method stub } }} XSS 攻击的专业解释,可以在网上搜索一下,参考百度百科的解释 http://baike.baidu.com/view/2161269.htm, 但在实际的应用中如何去防止这种攻击呢,下面给出几种办法.
1. 自己写 filter 拦截来实现,但要注意的时,在WEB.XML 中配置 filter 的时候,请将这个 filter 放在第一位.
2. 采用开源的实现 ESAPI library ,参考网址:https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
3. 可以采用spring 里面提供的工具类来实现.
一, 第一种方法。
配置过滤器
程序代码
public class XSSFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
chain.doFilter(new XSSRequestWrapper((HttpServletRequest) request), response);
}
}
再实现 ServletRequest 的包装类
程序代码
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class XSSRequestWrapper extends HttpServletRequestWrapper {
public XSSRequestWrapper(HttpServletRequest servletRequest) {
super(servletRequest);
}
@Override
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
if (values == null) {
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] = stripXSS(values[i]);
}
return encodedValues;
}
@Override
public String getParameter(String parameter) {
String value = super.getParameter(parameter);
return stripXSS(value);
}
@Override
public String getHeader(String name) {
String value = super.getHeader(name);
return stripXSS(value);
}
private String stripXSS(String value) {
if (value != null) {
// NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
// avoid encoded attacks.
// value = ESAPI.encoder().canonicalize(value);
// Avoid null characters
value = value.replaceAll("", "");
// Avoid anything between script tags
Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid anything in a src='...' type of expression
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome </script> tag
scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome <script ...> tag
scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid eval(...) expressions
scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid expression(...) expressions
scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid javascript:... expressions
scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid vbscript:... expressions
scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid onload= expressions
scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
}
return value;
}
}
例子中注释的部分,就是采用 ESAPI library 来防止XSS攻击的,推荐使用.
当然,我还看到这样一种办法,将所有的编程全角字符的解决方式,但个人觉得并没有上面这种用正则表达式替换的好
程序代码
private static String xssEncode(String s) {
if (s == null || s.equals("")) {
return s;
}
StringBuilder sb = new StringBuilder(s.length() + 16);
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
switch (c) {
case '>':
sb.append('>');// 全角大于号
break;
case '<':
sb.append('<');// 全角小于号
break;
case '\'':
sb.append('\\');
sb.append('\'');
sb.append('\\');
sb.append('\'');
break;
case '\"':
sb.append('\\');
sb.append('\"');// 全角双引号
break;
case '&':
sb.append('&');// 全角
break;
case '\\':
sb.append('\');// 全角斜线
break;
case '#':
sb.append('#');// 全角井号
break;
case ':':
sb.append(':');// 全角冒号
break;
case '%':
sb.append("\\\\%");
break;
default:
sb.append(c);
break;
}
}
return sb.toString();
}
当然,还有如下更简单的方式:
程序代码
private String cleanXSS(String value) {
//You'll need to remove the spaces from the html entities below
value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
value = value.replaceAll("'", "& #39;");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
value = value.replaceAll("script", "");
return value;
}
在后台或者用spring 如何实现呢:
首先添加一个jar包:commons-lang-2.5.jar ,然后在后台调用这些函数:
程序代码
StringEscapeUtils.escapeHtml(string);
StringEscapeUtils.escapeJavaScript(string);
StringEscapeUtils.escapeSql(string);
当然,我记得在spring 里面好像有一个 HtmlUtils.htmlEscape , 同样可以做到 过滤 XSS 攻击。从上面的介绍可以看出,防止 XSS 攻击并不难,就是要小心。 但事实上在我经历过的银行项目开发过程中,基本都会采用 spring 框架,所以完全可以不用自己开发 filter 去拦截 csrf 攻击的请求,而直接采用实现 spring 提供的 HandlerInterceptor 来实现。 从本质上来说,这也是一个 filter. 我这里就直接实现它来 防止 csrf 攻击.
基本思路:
1. 用户登录之后,后台程序生产一个 csrftoken 的 token ,放在 cookies 中,并且记录在 session 中。
2. 当客户端发出请求的访问后台程序的时候,经过自己实现的HandlerInterceptor 来拦截.
3. 拦截的基本方法是检查请求的参数中是否有csrftoken ,并检查这个值,是否合法有效(不为空,并且得到的参数等于cookies 中保存的值,而且还要等于session 中的值,那么就是合法的)
直接上代码,需要相关 spring 的jar 包,自己可以准备好,代码如下:
程序代码package com.yihaomen.intercepter;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
public class CsrfIntercepter implements HandlerInterceptor {
public static final String CSRFNUMBER = "csrftoken";
public boolean preHandle(HttpServletRequest request,HttpServletResponse response, Object handler) throws Exception {
String keyFromRequestParam = (String) request.getParameter(CSRFNUMBER);
String keyFromCookies="";
boolean result=false;
Cookie[] cookies = request.getCookies();
if(cookies!=null){
for (int i = 0; i < cookies.length; i++) {
String name = cookies[i].getName();
if(CSRFNUMBER.equals(name) ) {
keyFromCookies= cookies[i].getValue();
}
}
}
if((keyFromRequestParam!=null && keyFromRequestParam.length()>0 &&
keyFromRequestParam.equals(keyFromCookies) &&
keyFromRequestParam.equals((String)request.getSession().getAttribute(CSRFNUMBER)))) {
result=true;
}else{
request.getRequestDispatcher("/error/400").forward(request, response);
}
return result;
}
public void afterCompletion(HttpServletRequest arg0, HttpServletResponse arg1,
Object arg2, Exception arg3) throws Exception {
}
public void postHandle(HttpServletRequest arg0, HttpServletResponse arg1,
Object arg2, ModelAndView arg3) throws Exception {
}
}
这样就可以实现在 j2ee 应用中拦截 csrf 攻击了。
- springboot 安全防火
- 实验室防火安全系统简介
- 实验室智能防火安全系统-------bootloader
- SpringBoot安全
- springboot 测试增加安全处理
- 使用防火玻璃块创建安全,时尚的窗户和墙壁
- 防火常识
- 防火长城
- SpringBoot应用服务启动与安全终止
- springboot【7】安全控制之Spring Security
- SpringBoot 中文手册 --Part IV --28 安全
- 防火,防盗,防记者
- Cisco PIX 防火墻設置
- 防火牆自我檢查表
- 防火强 配置
- 联想防火期设置
- 更符合防火
- 家庭防火应急预案
- 精通八大排序算法系列:二、堆排序算法
- React native真机调试
- IOS点击键盘以外空白区域隐藏键盘的4种常见写法
- 《angularjs权威教程》摘录
- CSS选择器以及优先级
- springboot 安全防火
- [cogs2482][二分答案]Franky的胡子
- 将libcurl封装下载类
- Windows下nodejs安装与配置
- eclipse没有断点,运行时出debug
- 条件概率与事件的相互独立性
- 通过PHP调用天市数据的水电煤缴费接口
- Android混淆设置
- HEVC Screen Content Coding Overview
