问题:
绕过Spring Security过滤器链
饶志
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/health");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling()
.authenticationEntryPoint(ssoEntryPoint());
http
.authorizeRequests()
.antMatchers("/images/**").permitAll()
.antMatchers("/scripts/**").permitAll()
.antMatchers("/styles/**").permitAll()
.antMatchers("/vendor/**").permitAll()
.antMatchers("/views/**").permitAll()
.antMatchers("/index.html").permitAll()
.antMatchers("/api/**").authenticated();
http // login configuration
.addFilterAfter(ssoSpringSecurityFilter(), BasicAuthenticationFilter.class);
http //logout configuration
.logout()
.logoutSuccessHandler(logoutHandler());
http.csrf().disable();
}
2016-01-29 12:59:23.729 INFO 10572 --- [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/health'], []
2016-01-29 12:59:23.814 DEBUG 10572 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'permitAll', for Ant [pattern='/images/**']
2016-01-29 12:59:23.816 DEBUG 10572 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'permitAll', for Ant [pattern='/modules/**']
2016-01-29 12:59:23.816 DEBUG 10572 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'permitAll', for Ant [pattern='/scripts/**']
2016-01-29 12:59:23.816 DEBUG 10572 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'permitAll', for Ant [pattern='/styles/**']
2016-01-29 12:59:23.816 DEBUG 10572 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'permitAll', for Ant [pattern='/vendor/**']
2016-01-29 12:59:23.816 DEBUG 10572 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'permitAll', for Ant [pattern='/views/**']
2016-01-29 12:59:23.816 DEBUG 10572 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'permitAll', for Ant [pattern='/index.html']
2016-01-29 12:59:23.816 DEBUG 10572 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'authenticated', for Ant [pattern='/api/**']
当我调用我的服务时,我的这个URL:
https://localhost:9999/health
我有这个堆栈跟踪:
2016-01-29 13:05:34.076 INFO 10572 --- [nio-9999-exec-4] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring FrameworkServlet 'dispatcherServlet'
2016-01-29 13:05:34.076 INFO 10572 --- [nio-9999-exec-4] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization started
2016-01-29 13:05:34.121 INFO 10572 --- [nio-9999-exec-4] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization completed in 45 ms
2016-01-29 13:05:34.136 DEBUG 10572 --- [nio-9999-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/health'; against '/css/**'
2016-01-29 13:05:34.136 DEBUG 10572 --- [nio-9999-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/health'; against '/js/**'
2016-01-29 13:05:34.136 DEBUG 10572 --- [nio-9999-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/health'; against '/images/**'
2016-01-29 13:05:34.137 DEBUG 10572 --- [nio-9999-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/health'; against '/**/favicon.ico'
2016-01-29 13:05:34.137 DEBUG 10572 --- [nio-9999-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/health'; against '/error'
2016-01-29 13:05:34.137 DEBUG 10572 --- [nio-9999-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/health'; against '/health'
2016-01-29 13:05:34.137 DEBUG 10572 --- [nio-9999-exec-4] o.s.security.web.FilterChainProxy : /health has an empty filter list
什么是平均健康有一个空的筛选器列表?
共有1个答案
牧宁
我也遇到了同样的问题,我永远无法获得“web.忽略().antMatchers(...)”去工作。我的自定义筛选器总是被调用。
有一种方法可以强制筛选不影响给定的URL。我找到了这个答案:https://stackoverflow.com/a/19985323/7206367,它给出了一个可能的解决方案,目的是允许特定于筛选器的排除,但也可以用来强制URL排除覆盖。下面是我对这个问题的适应。
下面是支持方法的实现,但您所要做的只是将其添加到HttpSecurity中,而不是自定义筛选器:
new DelegateRequestMatchingFilter(SECURITY_EXCLUSION_MATCHER, myCustomFilter);
支持代码:
@Configuration
@EnableWebSecurity
@EnableAutoConfiguration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
...
private static final RequestMatcher SECURITY_EXCLUSION_MATCHER;
static {
String[] urls = new String[] {
"/login",
"/refreshToken",
"/health",
"/ping"
};
//Build Matcher List
LinkedList<RequestMatcher> matcherList = new LinkedList<>();
for (String url : urls) {
matcherList.add(new AntPathRequestMatcher(url));
}
//Link Matchers in "OR" config.
SECURITY_EXCLUSION_MATCHER = new OrRequestMatcher(matcherList);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().requestMatchers(SECURITY_EXCLUSION_MATCHER);
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.authorizeRequests()
.requestMatchers(SECURITY_EXCLUSION_MATCHER).permitAll()
}
...
/**
* Since the "web.ignoring()..." is not stopping the Custom Filter from acting on the ignored urls,
* this delegation class will force a check on the Security Exclusion list before allowing the
* Custom Filter to process anything.
*/
public static class DelegateRequestMatchingFilter implements Filter {
private Filter delegate;
private RequestMatcher ignoredRequests;
public DelegateRequestMatchingFilter(RequestMatcher matcher, Filter delegate) {
this.ignoredRequests = matcher;
this.delegate = delegate;
}
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
if(ignoredRequests.matches(request)) {
chain.doFilter(req,resp);
} else {
delegate.doFilter(req,resp,chain);
}
}
public void init(FilterConfig filterConfig) throws ServletException {
delegate.init(filterConfig);
}
public void destroy() {
delegate.destroy();
}
}
}
或
import javax.servlet.http.HttpServletRequest;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
/**
* <p>
* This matcher will return all matches which match <cdoe>baselineMatches</code>, if
* and only if, those matches are not matched by <code>ignoreMatches</code>.
* </p>
*
* <p>
* This matcher first checks <code>ignoreMatches</code>. If a given request is found
* as a match to <code>ignoreMatches</code>, this matcher will return false (not a match).
* If a given request does not match <code>ignoreMatches</code>, then this matcher returns
* whether or not that request matches <code>baselineMatches</code>.
* </p>
*
* Effectively:<br>
* <code>
* if (ignoreMatches.matches(request)) {
* return false;
* } else {
* return baselineMatches.matches(request);
* }
* </code>
* @param baselineMatches Matcher used to determine a request match.
* @param ignoreMatches Matcher used to exclude matches from the baselineMatcher.
*/
public class AExceptBRequestMatcher implements RequestMatcher {
private RequestMatcher baselineMatches;
private RequestMatcher ignoreMatches;
public AExceptBRequestMatcher(String baselineMatches, RequestMatcher ignoreMatches) {
this(new AntPathRequestMatcher(baselineMatches), ignoreMatches);
}
public AExceptBRequestMatcher(RequestMatcher baselineMatches, RequestMatcher ignoreMatches) {
this.baselineMatches = baselineMatches;
this.ignoreMatches = ignoreMatches;
}
@Override
public boolean matches(HttpServletRequest request) {
if (ignoreMatches.matches(request)) {
return false;
} else {
return baselineMatches.matches(request);
}
}
}
然后,在筛选器构造函数中调用以下内容:
public MyCustomFilter() {
super("/**");
}
public MyCustomFilter(RequestMatcher excludeMatcher) {
super(new AExceptBRequestMatcher("/**", excludeMatcher));
}
类似资料:
-
简要描述 有些时候,通用的绕过技巧并不可行,这个时候我们就得观察缺陷点的周围环境,想想其它办法咯。“猥琐绕过”与通用绕过不 同的是,它通用性小,往往只是特例。 详细说明 1. 直接看实例点: http://qzs.qq.com/qzone/v6/custom/custom_module_proxy.html#siDomain=1&g_StyleID=aaaaaaaaaa 2. 可以看出,这是一个
-
简要描述 关于反射型的基本东西,暂时就到这啦,如果后面有什么好的 case,再做增补。最近,有些人会问到怎么绕过浏览器的 XSS 过滤 器,所以从这节开始,给出点绕过的例子。当然这些绕过浏览器的方法,不是万能的。不同浏览器,不同场景都会存在差异。满足场景 要求时,才可以使用。 此文给出的是一个来自 sogili 分享的 chrome 下绕过过滤器的方法,在腾讯某处 XSS 上的应用。 这一类都算是
-
过滤器是 控制器动作 执行之前或之后执行的对象。 例如访问控制过滤器可在动作执行之前来控制特殊终端用户是否有权限执行动作, 内容压缩过滤器可在动作执行之后发给终端用户之前压缩响应内容。 过滤器可包含预过滤(过滤逻辑在动作之前)或后过滤(过滤逻辑在动作之后), 也可同时包含两者。 使用过滤器 过滤器本质上是一类特殊的 行为, 所以使用过滤器和 使用行为一样。 可以在控制器类中覆盖它的 behavio
-
请你再一次回顾这张图: 一个 HTTP 请求,过滤器是第一组被执行的对象。同适配器不同的是,一个请求中,可以执行多个过滤器。 如何使用过滤器? 通过 @Filters 注解。 注解 '@Filters' 的值是一个 '@By' 注解的数组,它可以声明在这三个地方 入口函数 子模块 主模块 其中入口函数的 @Filters 优先级更高,其次是子模块,最后是主模块。 就是说,你在入口模块声明了两个过滤
-
过滤器前缀 :, 比如 :markdown 会把下面块里的文本交给专门的函数进行处理。查看顶部 特性 里有哪些可用的过滤器。 body :markdown Woah! jade _and_ markdown, very **cool** we can even link to [stuff](http://google.com) 渲染为: <body><p>Woah! j
-
过滤器本质上是可以应用于变量的函数。它们用管道操作符(|)调用,并且可以接受参数。 {{ foo | title }} {{ foo | join(",") }} {{ foo | replace("foo", "bar") | capitalize }} 定义一个新的过滤器 可以在过滤器的入口自定义函数来扩展过滤器。 过滤器函数将要过滤的内容作为第一个参数,并应返回新内容。 参考上下文API了