web安全框架,主要用servlet filter方式覆蓋httpServletRequest和HttpServletResponse方式增加一些輸入輸出的過濾,github地址:https://github.com/zhwj184/webSecurity
主要實現的安全包括:
-
XSS過濾(獲取用戶輸入參數和參數值進行XSS過濾,對Header和cookie value值進行XSS過濾(轉碼Script標籤的< > 符號),
-
對Response的setStatus(int sc, String sm)方法 sm錯誤信息進行XSS過濾;
-
對Header的CLRF進行過濾;
-
對cookie大小和cookie的白名單進行驗證;
-
對文件上傳後綴白名單進行驗證;
-
對只允許POST提交的url進行驗證;
-
CSRF攻擊 tokenID防禦支持;
-
SESSION通過加密存儲到cookie支持;
-
靜態資源路徑去除../上級目錄符號;
使用指南:只需要在web.xml中配置對應的filter即可。
HttpSessionCookitStoreFilter是session存儲到cookie的支持,encryKey加密密鑰;
DefaultBaseSecurityFilter是默認的安全過濾filter,
securityFilterList可以配置對應的filter;
CookieWhiteListFilter:cookie白名單配置,如果配置這個,則需要配置參數cookieWhiteList;
CsrfTokenCkeckFilter:對post表單提交進行csrf token驗證;使用CsrfTokenIdCreator生成csrf tokenid後放入表單還有session中,key名稱必須爲csrf_開頭;爲了支持多個form表單;
FileUploadSecurityFilter:文件上傳後綴白名單驗證,需要配置whitefilePostFixList參數;
FormPostPermitCheckFilter;只允許post提交的url列表,需要配置onlyPostUrlList參數;
redirectWhiteList:是配置重定向白名單url參數;
StaticFilePathSecurityFilter:url的../上級路徑過濾;
使用在
<filter>
<filter-name>HttpSessionCookitStoreFilter</filter-name>
<filter-class>org.websecurity.filter.HttpSessionCookitStoreFilter</filter-class>
<init-param>
<param-name>encryKey</param-name>
<param-value>1234567887654321</param-value>
</init-param>
</filter>
<filter>
<filter-name>DefaultBaseSecurityFilter</filter-name>
<filter-class>org.websecurity.DefaultBaseSecurityFilter</filter-class>
<init-param>
<param-name>securityFilterList</param-name><!-- ,org.websecurity.filter.CsrfTokenCkeckFilter -->
<param-value>org.websecurity.filter.CookieWhiteListFilter,org.websecurity.filter.FormPostPermitCheckFilter</param-value>
</init-param>
<init-param>
<param-name>cookieWhiteList</param-name>
<param-value>id,JESSIONID,name,clrf</param-value>
</init-param>
<init-param>
<param-name>onlyPostUrlList</param-name>
<param-value>/d/sssecurity, /user/aaa/name*</param-value><!-- 支持正則匹配 -->
</init-param>
<init-param>
<param-name>whitefilePostFixList</param-name>
<param-value>jpg,png,doc,xls</param-value>
</init-param>
<init-param>
<param-name>encryKey</param-name>
<param-value>1234567887654321</param-value>
</init-param>
<init-param>
<param-name>redirectWhiteList</param-name>
<param-value>http://localhost:8080/[0-9A-Za-z]*,http://www.taobao.com/[0-9A-Za-z]*</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>HttpSessionCookitStoreFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>DefaultBaseSecurityFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
測試代碼:
@WebServlet(urlPatterns={"/security"},initParams={@WebInitParam(name="f", value="valuef"),@WebInitParam(name="g", value="valueg")})
public class MySecurityTest extends HttpServlet {
private static final long serialVersionUID = 1L;
/**
* @see HttpServlet#HttpServlet()
*/
public MySecurityTest() {
super();
// TODO Auto-generated constructor stub
}
/**
* @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
*/
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
//xss params filter
//url:
System.out.println(request.getParameter("xssparam")); //output:
System.out.println(request.getParameterMap().toString());
//cookie white list output filter
System.out.println(request.getCookies().toString());
response.addCookie(new Cookie("name", "valName"));//valid
response.addCookie(new Cookie("clrf", "valName\r\n<script>"));//valid
try{
response.addCookie(new Cookie("invalidName", "invalidvalName"));//not valid, throw runtimeexception
}catch(Exception e){
e.printStackTrace();
}
//cookie maxsize filter
response.addCookie(new Cookie("id", ByteBuffer.allocate(4 * 1024 + 2).toString()));//valid
//head security filter
response.setHeader("aaa\r\nbbb", "ccc\r\\ddd\n");
//session store to cookie
System.out.println(request.getSession().getAttribute("sescookie"));
request.getSession().setAttribute("sescookie", "sessioncookiestoretest");
//rediction filter
// response.sendRedirect("http://www.163.com");//failed
//status filter
response.setStatus(404, "<script>alert(1)</script>");
}
/**
* @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
*/
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.getWriter().write("hello, world");
}
}
一些輸出:
<script>alert(1)</script>
{xssparam=[Ljava.lang.String;@3476a7}
[Ljavax.servlet.http.Cookie;@1f5865a
java.lang.RuntimeException: cookie:invalidName is not in whitelist,not valid.
at org.websecurity.SecurityHttpServletResponse.addCookie(SecurityHttpServletResponse.java:34)
at org.websecurity.test.MySecurityTest.doGet(MySecurityTest.java:44)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.filter.My3Filter2.doFilter(My3Filter2.java:28)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.filter.My3Filter.doFilter(My3Filter.java:29)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.websecurity.DefaultBaseSecurityFilter.doFilter(DefaultBaseSecurityFilter.java:44)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:395)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:250)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:166)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)