安全問題很多,這裏介紹三方面:
1.xss過慮
2.spring中文件類型上傳限制
3.resin banner修改(服務器的信息修改)《@中國人叔叔-lt》
第一、XSS過慮
web項目的xss過慮可以創建一個過慮器,解析request裏面的參數,判斷如果有特殊的就替換掉。那網上有一個貼子是這樣實現的springmvc xss解決方案,很多人怕麻煩喜歡代碼一貼問題就解決了。那有的時候總是會碰到問題的,那這裏我就舉一個例子。springmvc 做上傳時會把ServletRequest對象轉換成MultipartHttpServletRequest對象,而你在處理xss時已經把ServletRequest轉爲XssHttpServletRequestWrapper。那過慮完之後到了controller轉MultipartHttpServletRequest就會報錯了。所以在處理xss時,可以簡單的處理一下,當是上傳文件時就不做XSS過慮。代碼如下:
package Interceptors.xss;
import common.exception.FileTypeErrorException;
import common.http.XssHttpServletRequestWrapper;
import org.springframework.web.multipart.MultipartFile;
import org.springframework.web.multipart.MultipartHttpServletRequest;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.util.Iterator;
import java.util.Map;
/**
* Created by 18621 on 2017/7/25.
*/
public class XssFilter implements Filter {
FilterConfig filterConfig = null;
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
public void destroy() {
this.filterConfig = null;
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
String contentType = request.getContentType();
//如果是上傳不用生成XSSHTTP對象
if (contentType != null && contentType.toLowerCase().startsWith("multipart/")) {
chain.doFilter(request, response);
}
chain.doFilter(new XssHttpServletRequestWrapper(
(HttpServletRequest) request), response);
}
}
第二、springmvc中文件類型上傳的限制,創建攔截器過慮代碼如下:
`package Interceptors.fileupload;
import common.exception.FileTypeErrorException;
import common.tools.StringFacs;
import org.springframework.web.multipart.MultipartFile;
import org.springframework.web.multipart.MultipartHttpServletRequest;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.Iterator;
import java.util.Map;
/**
* @author liting
* @version
* @author (
* @since 1.0,登錄欄截器,所有請求個人信息和許可申請/*的URL都跳到這個欄截器
*/
public class FileUploadInterceptors implements HandlerInterceptor {
//preHandle方案返回true表示正常跳轉到本來要訪問的請求,false 則不請求內部處理
public boolean preHandle(HttpServletRequest request,HttpServletResponse response, Object handler) throws Exception {
boolean flag= true;
// 判斷是否爲文件上傳請求
if (request instanceof MultipartHttpServletRequest) {
MultipartHttpServletRequest multipartRequest =
(MultipartHttpServletRequest) request;
Map<String, MultipartFile> files =
multipartRequest.getFileMap();
Iterator<String> iterator = files.keySet().iterator();
//對多部件請求資源進行遍歷
while (iterator.hasNext()) {
String formKey = (String) iterator.next();
MultipartFile multipartFile =
multipartRequest.getFile(formKey);
String filename=multipartFile.getOriginalFilename();
//判斷是否爲限制文件類型
if (! checkFile(filename)) {
flag = false;
}
}
}
return flag;
}
public void postHandle(HttpServletRequest request,
HttpServletResponse response, Object handler,
ModelAndView modelAndView) throws Exception {
//System.out.println("Post-handle");
}
public void afterCompletion(HttpServletRequest request,
HttpServletResponse response, Object handler, Exception ex)
throws Exception {
//System.out.println("After completion handle");
}
/**
* 判斷是否爲允許的上傳文件類型,true表示允許
*/
private boolean checkFile(String fileName) {
//設置允許上傳文件類型
String suffixList = "jpg,gif,png,ico,bmp,jpeg,zip,zp,rar,doc,docx,excel,xls,xlxs";
// 獲取文件後綴
String suffix = fileName.substring(fileName.lastIndexOf(".")
+ 1, fileName.length());
if (suffixList.contains(suffix.trim().toLowerCase())) {
return true;
}
return false;
}
}
`
第三、resin banner修改
resin banner信息是啥呢,在瀏覽器中調試的時候你可以看到服務器的信息,比如是什麼服務器,版本號等。這些信息可能作爲黑客的輔助信息。應該修改爲錯誤 的信息。resin中lib下面有resin.jar。修改包中的Version.class,反編譯之後修改了再複製到JAR包
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by Fernflower decompiler)
//
package com.caucho;
public final class Version {
public static final String COPYRIGHT = "Copyright(c) 1998-2008 Caucho Technology. All rights reserved.";
public static String FULL_VERSION = "Resin-3.1.12 (built Mon, 13 Oct 2014 06:45:33 PDT)";
public static String VERSION = "3.1.12";
public static String VERSION_DATE = "20141013T064533";
public Version() {
}
public static void main(String[] argv) {
System.out.println(FULL_VERSION);
System.out.println("Copyright(c) 1998-2008 Caucho Technology. All rights reserved.");
}
}