From a8ba678a3fe5a39da2c732014cebbb66e408e97c Mon Sep 17 00:00:00 2001
From: WangHan <wwh_work@126,com>
Date: 星期三, 02 四月 2025 18:45:12 +0800
Subject: [PATCH] 问题与漏洞修改
---
iplatform-base-security-consum/src/main/java/com/iplatform/security/config/WebSecurityConfig.java | 128 ++++++++++++++++++++++++------------------
1 files changed, 72 insertions(+), 56 deletions(-)
diff --git a/iplatform-base-security-consum/src/main/java/com/iplatform/security/config/WebSecurityConfig.java b/iplatform-base-security-consum/src/main/java/com/iplatform/security/config/WebSecurityConfig.java
index 90761ab..3078051 100644
--- a/iplatform-base-security-consum/src/main/java/com/iplatform/security/config/WebSecurityConfig.java
+++ b/iplatform-base-security-consum/src/main/java/com/iplatform/security/config/WebSecurityConfig.java
@@ -37,6 +37,7 @@
import com.walker.web.security.DefaultSecurityMetadataSource;
import com.walker.web.security.ResourceLoadProvider;
import com.walker.web.token.JwtTokenGenerator;
+import org.apache.commons.collections4.CollectionUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
@@ -45,6 +46,7 @@
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
+import org.springframework.security.config.annotation.web.ExceptionHandlingDsl;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
@@ -93,6 +95,13 @@
}
/**
+ * HttpSecurity锛氬拷鐣� antMatchers 涓娇鐢ㄧ殑绔偣鐨勮韩浠介獙璇侊紝鍏朵粬瀹夊叏鍔熻兘灏嗙敓鏁堛��<br></br>
+ * WebSecurity锛氱洿鎺ュ拷鐣ヤ篃涓嶄細杩涜 CSRF xss绛夋敾鍑讳繚鎶ゃ��
+ * @param http
+ * @return
+ * @throws Exception
+ */
+ /**
* HttpSecurity锛氬拷鐣� antMatchers 涓娇鐢ㄧ殑绔偣鐨勮韩浠介獙璇侊紝鍏朵粬瀹夊叏鍔熻兘灏嗙敓鏁堛��<br></br>
* WebSecurity锛氱洿鎺ュ拷鐣ヤ篃涓嶄細杩涜 CSRF xss绛夋敾鍑讳繚鎶ゃ��
* @param http
@@ -101,82 +110,89 @@
*/
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+ // 缂撳瓨 securityProperties 鐨勭粨鏋滐紝閬垮厤閲嶅璋冪敤
+ SecurityProperties securityProperties = this.securityProperties();
- DefaultUserDetailsService userDetailsService = userDetailsService(this.securityProperties(), this.userCacheProvider);
+ DefaultUserDetailsService userDetailsService = userDetailsService(securityProperties, this.userCacheProvider);
http.userDetailsService(userDetailsService);
+
// CSRF绂佺敤锛屽洜涓轰笉浣跨敤session
- http.csrf().disable();
- // ???
- http.headers().frameOptions().disable();
+ // 娉ㄦ剰锛氱鐢–SRF闇�纭繚鎵�鏈夋帴鍙e凡閫氳繃鍏朵粬鏂瑰紡淇濇姢
+ http.csrf(csrf -> csrf.disable());
- // 鐧诲綍琛屼负鐢辫嚜宸卞疄鐜帮紝鍙傝�� AuthController#login
- http.formLogin().disable().httpBasic().disable();
+ // 绂佺敤frameOptions浠ユ敮鎸乮frame宓屽
+ // 鏇挎崲寮冪敤鐨� headers() 鏂规硶
+ http.headers(headers -> headers.frameOptions(frameOptions -> frameOptions.disable()));
- // 鍖垮悕璧勬簮璁块棶鏉冮檺锛岃繑鍥炴棤鏉冮檺鎻愮ず鎺ュ彛
- http.exceptionHandling().authenticationEntryPoint(failedAuthenticationEntryPoint())
- // 宸茶璇佺敤鎴锋棤鏉冮檺璁块棶閰嶇疆
- .accessDeniedHandler(this.accessDeniedHandler())
- .and()
- // 鍩轰簬token锛屾墍浠ヤ笉闇�瑕乻ession
- .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+ // 绂佺敤榛樿鐧诲綍鍜孒TTP Basic璁よ瘉
+ http.formLogin(formLogin -> formLogin.disable());
-// http.formLogin().loginProcessingUrl("/login")
-// .failureHandler(this.authenticationFailureHandler());
- // 娉ㄦ剰锛氳繖閲屼笉鑳介厤缃笂闈㈢殑鐧诲綍锛屽惁鍒欏氨涓嶄細鎵ц鑷繁瀹炵幇鐨�/login鏂规硶銆�2022-11-11
- http.logout().logoutUrl("/logout").logoutSuccessHandler(this.logoutSuccessHandler()).permitAll();
+ // 寮傚父澶勭悊閰嶇疆
+ http.exceptionHandling(exceptionHandling -> exceptionHandling
+ .authenticationEntryPoint(failedAuthenticationEntryPoint())
+ .accessDeniedHandler(this.accessDeniedHandler()));
- // 鍖垮悕璁块棶闆嗗悎锛�2022-11-07
- List<String> anonymousList = this.securityProperties().getAnonymousList();
- if(!StringUtils.isEmptyList(anonymousList)){
- http.authorizeHttpRequests().antMatchers(anonymousList.toArray(new String[]{})).permitAll();
- }
-// http.authorizeHttpRequests().antMatchers("/login", "/register", "/captchaImage", "/test/**").permitAll();
-// http.authorizeHttpRequests().antMatchers("/static/**", "/test/**").permitAll();
-// http.authorizeHttpRequests().antMatchers("/security/**").hasAuthority("query_user");
+ // 鍩轰簬token锛屾墍浠ヤ笉闇�瑕乻ession
+ http.sessionManagement(sessionManagement -> sessionManagement.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
- // 2023-03-21 娉ㄩ噴鎺夛紝璋冭瘯activiti7鏃跺彂鐜板拰涓嬮潰閲嶅锛�
- // http.addFilterBefore(securityInterceptor(), FilterSecurityInterceptor.class);
- /*http.authorizeHttpRequests().withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>(){
- @Override
- public <O extends FilterSecurityInterceptor> O postProcess(O object) {
- object.setAccessDecisionManager(accessDecisionManager());//鍐崇瓥绠$悊鍣�
- object.setSecurityMetadataSource(securityMetadataSource());//瀹夊叏鍏冩暟鎹簮
- return object;
- }
- });*/
+ // 鐧诲嚭閰嶇疆
+ http.logout(logout -> logout
+ .logoutUrl("/logout")
+ .logoutSuccessHandler(this.logoutSuccessHandler())
+ .permitAll());
- // 2023-01-28 閰嶇疆鑷畾涔夎璇佹彁渚涜��(瀵嗙爜楠岃瘉鐢�)
- http.authenticationProvider(this.authenticationProvider(userDetailsService, securityProperties()));
+ // 閰嶇疆鍖垮悕璁块棶鏉冮檺
+ configureAnonymousAccess(http, securityProperties);
+
+ // 閰嶇疆鑷畾涔夎璇佹彁渚涜��
+ http.authenticationProvider(this.authenticationProvider(userDetailsService, securityProperties));
// 鎵�鏈夎姹傞兘闇�瑕佽璇�
- http.authorizeHttpRequests().anyRequest().authenticated();
- // 浣跨敤鑷畾涔夊姩鎬佹嫤鎴櫒锛屾嫤鎴墍鏈夋潈闄愯姹傦紝2022-11-02
+ http.authorizeHttpRequests(authorizeHttpRequests -> authorizeHttpRequests.anyRequest().authenticated());
+
+ // 娣诲姞鑷畾涔夊姩鎬佹嫤鎴櫒
http.addFilterBefore(securityInterceptor(), FilterSecurityInterceptor.class);
- // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- // token鎷︽埅杩囨护鍣紝2022-11-02
- // 蹇呴』鍦ㄨ繖閲屾坊鍔犳嫤鎴紝涓嶈兘鏀惧湪'FilterSecurityInterceptor'涔嬪悗锛屽洜涓哄鏋滄斁鍦ㄤ箣鍚庯紝閭d箞灏辨棤娉曡幏寰楃敤鎴蜂俊鎭紝浠庤�屾棤娉�
- // 鑾峰緱鐢ㄦ埛鎵�鍏锋湁鐨勬潈闄愯鑹查泦鍚�:roleIdList銆�2022-11-14(2)
+ // 娣诲姞JWT璁よ瘉杩囨护鍣�
http.addFilterBefore(jwtAuthenticationTokenFilter(userDetailsService), UsernamePasswordAuthenticationFilter.class);
-// http.addFilterBefore(jwtAuthenticationTokenFilter(), DefaultAuthenticationFilter.class);
- // 灏濊瘯璁﹋wt鍦║RL鏉冮檺涔嬪悗鎵嶆嫤鎴�, 2022-11-14(1)
- // 娉ㄦ剰锛氫互涓� UsernamePasswordAuthenticationFilter 闇�瑕佸幓鎺夋墠鑳界敓鏁�
-// http.addFilterAfter(jwtAuthenticationTokenFilter(), FilterSecurityInterceptor.class);
- // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- if(this.securityProperties().isCorsEnabled()){
- // 瑙e喅璺ㄥ煙杩囨护鍣紝2022-11-06
- http.addFilterBefore(this.corsFilter().getFilter(), JwtAuthenticationTokenFilter.class);
- // 鏈煡锛�2022-11-11
- http.addFilterBefore(this.corsFilter().getFilter(), LogoutFilter.class);
- } else {
- System.out.println("涓嶆坊鍔犺法鍩熻繃婊ゅ櫒: ");
- }
+ // 閰嶇疆璺ㄥ煙杩囨护鍣�
+ configureCorsFilter(http, securityProperties);
return http.build();
}
/**
+ * 閰嶇疆鍖垮悕璁块棶鏉冮檺
+ */
+ private void configureAnonymousAccess(HttpSecurity http, SecurityProperties securityProperties) throws Exception {
+ List<String> anonymousList = securityProperties.getAnonymousList();
+ if (!CollectionUtils.isEmpty(anonymousList)) {
+ http.authorizeHttpRequests(authorizeHttpRequests -> authorizeHttpRequests
+ .requestMatchers(anonymousList.toArray(new String[0])).permitAll());
+ }
+ }
+
+ /**
+ * 閰嶇疆璺ㄥ煙杩囨护鍣�
+ */
+ private void configureCorsFilter(HttpSecurity http, SecurityProperties securityProperties) throws Exception {
+ if (securityProperties.isCorsEnabled()) {
+ CorsFilter corsFilter = this.corsFilter().getFilter();
+ if (corsFilter != null) {
+ http.addFilterBefore(corsFilter, JwtAuthenticationTokenFilter.class)
+ .addFilterBefore(corsFilter, LogoutFilter.class);
+ logger.info("璺ㄥ煙杩囨护鍣ㄥ凡鍚敤");
+ } else {
+ logger.warn("璺ㄥ煙杩囨护鍣ㄦ湭姝g‘鍒濆鍖�");
+ }
+ } else {
+ logger.info("璺ㄥ煙杩囨护鍣ㄦ湭鍚敤");
+ }
+ }
+
+
+ /**
* 鑾峰彇AuthenticationManager锛堣璇佺鐞嗗櫒锛夛紝鐧诲綍鏃惰璇佷娇鐢�
* @param authenticationConfiguration
* @return
--
Gitblit v1.9.1