經集團安全部掃描系統存在未授權可以獲取接口信息
系統改造如下:
總體方案: 添加攔截器,進行接口的請求狀態的攔截判斷(登錄/註冊等請求進行攔截排除)
版本一
系統pom文件spring-mvc版本不變的情況下,配置properties對請求攔截排除
public class LoginStatusInterceptor implements HandlerInterceptor {
private static final StructLogger logger = StructLogger.getLogger(LoginStatusInterceptor.class);
private static final ResourceBundle res = ResourceBundle.getBundle("CommonResourse");
private static final List<String> loginStatusIgnore = Arrays.asList(res.getString("loginStatusIgnore").split(","));
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
request.setCharacterEncoding("UTF-8");
String url = request.getServletPath();
// logger.info(url);
if(StringUtils.isNotBlank(url)){
if (!CollectionUtils.isEmpty(loginStatusIgnore)){
if (loginStatusIgnore.contains(url)){
return true;
}
}
String seqno = (String)request.getSession().getAttribute("seqno");
if(StringUtils.isBlank(seqno)){
logger.info("----------------------interceptor 獲取session的seqno爲空");
return false;
}
}
return true;
}
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
}
@Override
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
}
}
在CommonResourse.properties添加請求攔截排除,配置攔截請求路徑,多個請求用","分隔
#登錄態忽略請求
loginStatusIgnore=/ehrlogin.htm,/ehrnologin.htm,/in/modehrpassword.htm,/getvalidcode.htm,/ehrregister.htm
springmvc攔截器配置
<!--配置攔截器, 多個攔截器,順序執行 -->
<mvc:interceptors>
<mvc:interceptor>
<!-- 匹配的是url路徑, 如果不配置或/**,將攔截所有的Controller -->
<mvc:mapping path="/**"/>
<bean class="com.intime.hr.interceptor.CSRFInterceptor"></bean>
</mvc:interceptor>
<!-- 當設置多個攔截器時,先按順序調用preHandle方法,然後逆序調用每個攔截器的postHandle和afterCompletion方法 -->
<mvc:interceptor>
<mvc:mapping path="/**"/>
<bean class="com.intime.hr.interceptor.LoginStatusInterceptor"></bean>
</mvc:interceptor>
</mvc:interceptors>
------------------------------------------------------------------------------------------------------------------------------------
版本二
系統pom文件spring-mvc版本更新至3.2及以上,用mvc標籤排除攔截的請求(排除標籤3.2版本開始支持)
public class LoginStatusInterceptor implements HandlerInterceptor {
private static final StructLogger logger = StructLogger.getLogger(LoginStatusInterceptor.class);
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
request.setCharacterEncoding("UTF-8");
String url = request.getServletPath();
// logger.info(url);
if(StringUtils.isNotBlank(url)){
String seqno = (String)request.getSession().getAttribute("seqno");
if(StringUtils.isBlank(seqno)){
logger.info("----------------------interceptor 獲取session的seqno爲空");
return false;
}
}
return true;
}
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
}
@Override
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
}
}
springmvc攔截器配置
<!--配置攔截器, 多個攔截器,順序執行 -->
<mvc:interceptors>
<mvc:interceptor>
<!-- 匹配的是url路徑, 如果不配置或/**,將攔截所有的Controller -->
<mvc:mapping path="/**"/>
<bean class="com.intime.hr.interceptor.CSRFInterceptor"></bean>
</mvc:interceptor>
<!-- 當設置多個攔截器時,先按順序調用preHandle方法,然後逆序調用每個攔截器的postHandle和afterCompletion方法 -->
<mvc:interceptor>
<mvc:mapping path="/**"/>
<mvc:exclude-mapping path="/ehrlogin.htm"/>
<mvc:exclude-mapping path="/ehrnologin.htm"/>
<mvc:exclude-mapping path="/ehrregister.htm"/>
<bean class="com.intime.hr.interceptor.LoginStatusInterceptor"></bean>
</mvc:interceptor>
</mvc:interceptors>
改完檢查:
1.未登錄是否可以獲取接口信息
2排除攔截請求是否生效