springboot解决http host头攻击漏洞和X-Frame-Options
原文链接:https://blog.csdn.net/qq_37050372/article/details/123791576
https://blog.csdn.net/weixin_38972910/article/details/119755739
1.增加过滤器类进行host白名单过滤
package com.dg.sys.filter;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
/**
* http host头攻击漏洞处理过滤器,
* 需要在配置文件添加allowed.servernames可访问host白名单,
* 多个host用逗号隔开,本地开发使用127.0.0.1,localhost
* @author liufr
*/
@Component
public class HostFilter implements Filter{
/**
* 自定义实现host白名单添加
*/
@Value("${allowed.servernames}")
private String ALLOWED_SERVERNAMES;
@Override
public void init(FilterConfig filterConfig) throws ServletException {
// System.out.println("Filter初始化中");
}
/**
* host拦截
*/
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
// String host = request.getHeader("host");
String serverName = request.getServerName();
System.out.println("serverName-debug:" + serverName);
if (!isEmpty(serverName)) {
if (checkBlankList(serverName)) {
filterChain.doFilter(servletRequest, servletResponse);
} else {
System.out.println("[serverName deny access tips]->" + serverName);
// response.getWriter().print("host deny");
response.setStatus(403);
response.flushBuffer();
}
} else {
filterChain.doFilter(servletRequest, servletResponse);
}
}
@Override
public void destroy() {
// System.out.println("Filter销毁");
}
/**
* 校验当前host是否在白名单中
*/
private boolean checkBlankList(String serverName) {
String[] allowdServerName = ALLOWED_SERVERNAMES.split(",");
List<String> serverNameList = Arrays.asList(allowdServerName);
for(String str : serverNameList){
if(!isEmpty(str) && str.equals(serverName)){
return true;
}
}
return false;
}
/**
* 判空
*/
public boolean isEmpty(Object str) {
return str == null || "".equals(str);
}
}
2.增加配置类定义过滤器顺序
注意:最好将host白名单过滤定义在第一位,否则在经过其他过滤器之后,可能会被绿盟扫描软件认定为漏洞依然存在。
import org.apache.catalina.Context;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory;
import org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class FilterConfig {
@Autowired
MainFilter mainFilter;//主过滤器
@Autowired
HostFilter hostFilter;//http host头攻击漏洞处理过滤器
@Bean
public FilterRegistrationBean hostfilter() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setFilter(hostFilter);
registration.addUrlPatterns("/*");
registration.setName("hostFilter");
registration.setOrder(1); // 值越小,Filter越靠前。
return registration;
}
@Bean
public FilterRegistrationBean mainfilter() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setFilter(mainFilter);
registration.addUrlPatterns("/*");
registration.setName("mainFilter");
registration.setOrder(2); // 值越小,Filter越靠前。
return registration;
}
}
3.配置文件增加配置allowed.servernames
allowed.servernames=127.0.0.1,localhost
背景:
安全团队扫描代码有安全漏洞,需要新增响应头 X-Frame-Options以防止站点劫持。
springboot配置全局响应头,直接新建该类即可:
package com.app.healthyCheck.Config;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Component
public class AddResponseHeaderFilter extends OncePerRequestFilter {
//防止站点劫持
@Override
protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse,
FilterChain filterChain) throws ServletException, IOException {
httpServletResponse.addHeader("X-Frame-Options", "SAMEORIGIN");
filterChain.doFilter(httpServletRequest, httpServletResponse);
}
}