val*_*tis 21 java logging spring exception-handling spring-security
我看到一吨的RequestRejectedException条目在我的Tomcat日志(样品粘贴下面).几个月前,经过次要版本升级(Spring Security 4.2.4,IIRC)之后,这些内容开始出现在我的日志文件中,所以这显然是Spring中默认启用的新安全功能.这里报告了类似的问题,但我的问题具体涉及如何在控制器中拦截这些异常.针对此问题记录了一个Spring Security错误(提供一种处理RequestRejectedException的方法).但是,在Spring 5.1之前,它们并未针对此问题进行修复.
我想获得对此功能的一些控制,以便:
500 Internal Server Error(这是非常不正确的,这应该是a 400 Bad Request).我想找到一种方法来记录所请求的URL,但也要专门针对这些异常禁止堆栈跟踪,因为它们会在不给我任何有用信息的情况下污染我的日志文件.最理想的情况是,我想拦截这些异常并在我的应用程序层中处理它们,而不是在Tomcat日志中报告它们.
例如,这是我每天出现的数千个日志条目之一catalina.out:
Aug 10, 2018 2:01:36 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [dispatcher] in context with path [] threw exception
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"
at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:265)
at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:245)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:193)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:486)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
我在两天内看到了超过3,200个,并且它很快成为我的catalina.out日志文件的最大贡献者,以至于它阻止我看到其他合法的问题.从本质上讲,这个新的Spring Security功能是内置拒绝服务的一种形式,自4月以来浪费了我几个小时的时间.我并不是说这不是一个重要的功能,只是默认的实现是完全拙劣的,我希望找到一种方法来获得对它的控制,无论是作为开发人员还是作为系统管理员.
我使用自定义错误控制器来拦截IOExceptionSpring中的许多其他异常类型(包括).然而,RequestRejectedException由于某种原因,似乎正在崩溃.
这是我的相关部分ErrorController.java,用于了解我正在努力实现的目标:
@ControllerAdvice
public final class ErrorController
{
/**
* Logger.
*/
private static final Logger LOGGER = Logger.getLogger(ErrorController.class.getName());
/**
* Generates an Error page by intercepting exceptions generated from HttpFirewall.
*
* @param ex A RequestRejectedException exception.
* @return The tile definition name for the page.
*/
@ExceptionHandler(RequestRejectedException.class)
@ResponseStatus(HttpStatus.BAD_REQUEST)
public String handleRequestRejectedException(final HttpServletRequest request, final RequestRejectedException ex)
{
if (LOGGER.isLoggable(Level.INFO))
{
LOGGER.log(Level.INFO, "Request Rejected", ex);
}
LOGGER.log(Level.WARNING, "Rejected request for [" + request.getRequestURL().toString() + "]. Reason: " + ex.getMessage());
return "errorPage";
}
/**
* Generates a Server Error page.
*
* @param ex An exception.
* @return The tile definition name for the page.
*/
@ExceptionHandler(Exception.class)
@ResponseStatus(HttpStatus.INTERNAL_SERVER_ERROR)
public String handleException(final Exception ex)
{
if (LOGGER.isLoggable(Level.SEVERE))
{
LOGGER.log(Level.SEVERE, "Server Error", ex);
}
return "errorPage";
}
}
此错误控制器适用于许多例外.例如,它成功拦截了这个IllegalStateException:
Aug 05, 2018 7:50:30 AM com.mycompany.spring.controller.ErrorController handleException
SEVERE: Server Error
java.lang.IllegalStateException: Cannot create a session after the response has been committed
at org.apache.catalina.connector.Request.doGetSession(Request.java:2999)
...
但是,这不是拦截RequestRejectedException(如上面第一个日志示例中缺少"服务器错误"所示).
如何RequestRejectedException在错误控制器中拦截?
lan*_*wen 23
它也可以通过简单的过滤器处理,这将导致404错误响应
@Component
@Slf4j
@Order(Ordered.HIGHEST_PRECEDENCE)
public class LogAndSuppressRequestRejectedExceptionFilter extends GenericFilterBean {
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
try {
chain.doFilter(req, res);
} catch (RequestRejectedException e) {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
log
.warn(
"request_rejected: remote={}, user_agent={}, request_url={}",
request.getRemoteHost(),
request.getHeader(HttpHeaders.USER_AGENT),
request.getRequestURL(),
e
);
response.sendError(HttpServletResponse.SC_NOT_FOUND);
}
}
}
Ahm*_*yed 16
对于 Spring 安全版本5.4及更高版本,您可以简单地创建一个RequestRejectedHandler将注入 Spring 安全过滤器链的类型的 bean
import org.springframework.security.web.firewall.RequestRejectedHandler;
import org.springframework.security.web.firewall.HttpStatusRequestRejectedHandler;
@Bean
RequestRejectedHandler requestRejectedHandler() {
// sends an error response with a configurable status code (default is 400 BAD_REQUEST)
// we can pass a different value in the constructor
return new HttpStatusRequestRejectedHandler();
}
我实现了StrictHttpFirewall将日志请求信息的子类实现到控制台,并使用抑制的堆栈跟踪抛出新的异常.这部分解决了我的问题(至少我现在可以看到错误的请求).
如果您只是想在没有堆栈跟踪的情况下查看被拒绝的请求,那么这就是您正在寻找的答案.
如果要在控制器中处理这些异常,请参阅已接受的答案以获得完整(但稍微复杂一点)的解决方案.
LoggingHttpFirewall.java
此类扩展StrictHttpFirewall以捕获RequestRejectedException并抛出来自请求的元数据和抑制的堆栈跟踪的新异常.
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.web.firewall.FirewalledRequest;
import org.springframework.security.web.firewall.RequestRejectedException;
import org.springframework.security.web.firewall.StrictHttpFirewall;
/**
* Overrides the StrictHttpFirewall to log some useful information about blocked requests.
*/
public final class LoggingHttpFirewall extends StrictHttpFirewall
{
/**
* Logger.
*/
private static final Logger LOGGER = Logger.getLogger(LoggingHttpFirewall.class.getName());
/**
* Default constructor.
*/
public LoggingHttpFirewall()
{
super();
return;
}
/**
* Provides the request object which will be passed through the filter chain.
*
* @returns A FirewalledRequest (required by the HttpFirewall interface) which
* inconveniently breaks the general contract of ServletFilter because
* we can't upcast this to an HttpServletRequest. This prevents us
* from re-wrapping this using an HttpServletRequestWrapper.
* @throws RequestRejectedException if the request should be rejected immediately.
*/
@Override
public FirewalledRequest getFirewalledRequest(final HttpServletRequest request) throws RequestRejectedException
{
try
{
return super.getFirewalledRequest(request);
} catch (RequestRejectedException ex) {
if (LOGGER.isLoggable(Level.WARNING))
{
LOGGER.log(Level.WARNING, "Intercepted RequestBlockedException: Remote Host: " + request.getRemoteHost() + " User Agent: " + request.getHeader("User-Agent") + " Request URL: " + request.getRequestURL().toString());
}
// Wrap in a new RequestRejectedException with request metadata and a shallower stack trace.
throw new RequestRejectedException(ex.getMessage() + ".\n Remote Host: " + request.getRemoteHost() + "\n User Agent: " + request.getHeader("User-Agent") + "\n Request URL: " + request.getRequestURL().toString())
{
private static final long serialVersionUID = 1L;
@Override
public synchronized Throwable fillInStackTrace()
{
return this; // suppress the stack trace.
}
};
}
}
/**
* Provides the response which will be passed through the filter chain.
* This method isn't extensible because the request may already be committed.
* Furthermore, this is only invoked for requests that were not blocked, so we can't
* control the status or response for blocked requests here.
*
* @param response The original HttpServletResponse.
* @return the original response or a replacement/wrapper.
*/
@Override
public HttpServletResponse getFirewalledResponse(final HttpServletResponse response)
{
// Note: The FirewalledResponse class is not accessible outside the package.
return super.getFirewalledResponse(response);
}
}
WebSecurityConfig.java
在WebSecurityConfig,将HTTP防火墙设置为LoggingHttpFirewall.
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
/**
* Default constructor.
*/
public WebSecurityConfig()
{
super();
return;
}
@Override
public final void configure(final WebSecurity web) throws Exception
{
super.configure(web);
web.httpFirewall(new LoggingHttpFirewall()); // Set the custom firewall.
return;
}
}
结果
在将此解决方案部署到生产环境后,我很快发现默认行为StrictHttpFirewall是阻止Google索引我的网站!
Aug 13, 2018 1:48:56 PM com.mycompany.spring.security.AnnotatingHttpFirewall getFirewalledRequest
WARNING: Intercepted RequestBlockedException: Remote Host: 66.249.64.223 User Agent: Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Request URL: https://www.mycompany.com/10.1601/tx.3784;jsessionid=692804549F9AB55F45DBD0AFE2A97FFD
我一发现这一点,就迅速部署了一个新版本(包括在我的另一个答案中),它寻找;jsessionid=并允许这些请求通过.可能还有其他请求也应该通过,现在我有办法检测这些请求.
事实证明,尽管HttpFirewall其中StrictHttpFirewall包含一些设计错误(在下面的代码中进行了记录),但是几乎无法逃避Spring Security的One True Firewall并HttpFirewall通过request属性将信息HandlerInterceptor传递到,该属性可以将这些标记的请求传递给真实的(持久性)防火墙,而不会牺牲最初标记它们的原始业务逻辑。这里记录的方法应该相当面向未来,因为它符合来自HttpFirewall接口的简单协定,其余的只是核心Spring Framework和Java Servlet API。
从本质上讲,这是我先前回答的更复杂但更完整的选择。在此答案中,我实现了一个新的子类,StrictHttpFirewall该子类在特定的日志记录级别拦截并记录被拒绝的请求,而且还向HTTP请求添加了一个属性,将该属性标记为供下游过滤器(或控制器)处理。同样,这AnnotatingHttpFirewall提供了一种inspect()方法,该方法允许子类添加用于阻止请求的自定义规则。
该解决方案分为两部分:(1)Spring Security和(2)Spring Framework(Core),因为这首先是导致此问题的原因,并且说明了如何解决该问题。
作为参考,已在Spring 4.3.17和Spring Security 4.2.6上进行了测试。Spring 5.1发布时可能会有重大变化。
第1部分:Spring安全性
这是在Spring Security中执行日志记录和标记的解决方案的一半。
AnnotatingHttpFirewall.java
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.web.firewall.FirewalledRequest;
import org.springframework.security.web.firewall.RequestRejectedException;
import org.springframework.security.web.firewall.StrictHttpFirewall;
/**
* Overrides the StrictHttpFirewall to log some useful information about blocked requests.
*/
public class AnnotatingHttpFirewall extends StrictHttpFirewall
{
/**
* The name of the HTTP header representing a request that has been rejected by this firewall.
*/
public static final String HTTP_HEADER_REQUEST_REJECTED_FLAG = "X-HttpFirewall-RequestRejectedFlag";
/**
* The name of the HTTP header representing the reason a request has been rejected by this firewall.
*/
public static final String HTTP_HEADER_REQUEST_REJECTED_REASON = "X-HttpFirewall-RequestRejectedReason";
/**
* Logger.
*/
private static final Logger LOGGER = Logger.getLogger(AnnotatingHttpFirewall.class.getName());
/**
* Default constructor.
*/
public AnnotatingHttpFirewall()
{
super();
return;
}
/**
* Provides the request object which will be passed through the filter chain.
*
* @param request The original HttpServletRequest.
* @returns A FirewalledRequest (required by the HttpFirewall interface) which
* inconveniently breaks the general contract of ServletFilter because
* we can't upcast this to an HttpServletRequest. This prevents us
* from re-wrapping this using an HttpServletRequestWrapper.
*/
@Override
public FirewalledRequest getFirewalledRequest(final HttpServletRequest request)
{
try
{
this.inspect(request); // Perform any additional checks that the naive "StrictHttpFirewall" misses.
return super.getFirewalledRequest(request);
} catch (RequestRejectedException ex) {
final String requestUrl = request.getRequestURL().toString();
// Override some of the default behavior because some requests are
// legitimate.
if (requestUrl.contains(";jsessionid="))
{
// Do not block non-cookie serialized sessions. Google's crawler does this often.
} else {
// Log anything that is blocked so we can find these in the catalina.out log.
// This will give us any information we need to make
// adjustments to these special cases and see potentially
// malicious activity.
if (LOGGER.isLoggable(Level.WARNING))
{
LOGGER.log(Level.WARNING, "Intercepted RequestBlockedException: Remote Host: " + request.getRemoteHost() + " User Agent: " + request.getHeader("User-Agent") + " Request URL: " + request.getRequestURL().toString());
}
// Mark this request as rejected.
request.setAttribute(HTTP_HEADER_REQUEST_REJECTED, Boolean.TRUE);
request.setAttribute(HTTP_HEADER_REQUEST_REJECTED_REASON, ex.getMessage());
}
// Suppress the RequestBlockedException and pass the request through
// with the additional attribute.
return new FirewalledRequest(request)
{
@Override
public void reset()
{
return;
}
};
}
}
/**
* Provides the response which will be passed through the filter chain.
* This method isn't extensible because the request may already be committed.
* Furthermore, this is only invoked for requests that were not blocked, so we can't
* control the status or response for blocked requests here.
*
* @param response The original HttpServletResponse.
* @return the original response or a replacement/wrapper.
*/
@Override
public HttpServletResponse getFirewalledResponse(final HttpServletResponse response)
{
// Note: The FirewalledResponse class is not accessible outside the package.
return super.getFirewalledResponse(response);
}
/**
* Perform any custom checks on the request.
* This method may be overridden by a subclass in order to supplement or replace these tests.
*
* @param request The original HttpServletRequest.
* @throws RequestRejectedException if the request should be rejected immediately.
*/
public void inspect(final HttpServletRequest request) throws RequestRejectedException
{
final String requestUri = request.getRequestURI(); // path without parameters
// final String requestUrl = request.getRequestURL().toString(); // full path with parameters
if (requestUri.endsWith("/wp-login.php"))
{
throw new RequestRejectedException("The request was rejected because it is a vulnerability scan.");
}
if (requestUri.endsWith(".php"))
{
throw new RequestRejectedException("The request was rejected because it is a likely vulnerability scan.");
}
return; // The request passed all custom tests.
}
}
WebSecurityConfig.java
在中WebSecurityConfig,将HTTP防火墙设置为AnnotatingHttpFirewall。
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
/**
* Default constructor.
*/
public WebSecurityConfig()
{
super();
return;
}
@Override
public final void configure(final WebSecurity web) throws Exception
{
super.configure(web);
web.httpFirewall(new AnnotatingHttpFirewall()); // Set the custom firewall.
return;
}
}
第2部分:Spring框架
可以想象,该解决方案的第二部分可以实现为ServletFilter或HandlerInterceptor。我HandlerInterceptor之所以走a之路,是因为它似乎提供了最大的灵活性,并且可以直接在Spring Framework中工作。
RequestBlockedException.java
此自定义异常可以由错误控制器处理。可以扩展它以添加可与应用程序业务逻辑(例如,持久防火墙)相关的原始请求(甚至是完整请求本身)中可用的任何请求标头,参数或属性。
/**
* A custom exception for situations where a request is blocked or rejected.
*/
public class RequestBlockedException extends RuntimeException
{
private static final long serialVersionUID = 1L;
/**
* The requested URL.
*/
private String requestUrl;
/**
* The remote address of the client making the request.
*/
private String remoteAddress;
/**
* A message or reason for blocking the request.
*/
private String reason;
/**
* The user agent supplied by the client the request.
*/
private String userAgent;
/**
* Creates a new Request Blocked Exception.
*
* @param reqUrl The requested URL.
* @param remoteAddr The remote address of the client making the request.
* @param userAgent The user agent supplied by the client making the request.
* @param message A message or reason for blocking the request.
*/
public RequestBlockedException(final String reqUrl, final String remoteAddr, final String userAgent, final String message)
{
this.requestUrl = reqUrl;
this.remoteAddress = remoteAddr;
this.userAgent = userAgent;
this.reason = message;
return;
}
/**
* Gets the requested URL.
*
* @return A URL.
*/
public String getRequestUrl()
{
return this.requestUrl;
}
/**
* Gets the remote address of the client making the request.
*
* @return A remote address.
*/
public String getRemoteAddress()
{
return this.remoteAddress;
}
/**
* Gets the user agent supplied by the client making the request.
*
* @return A user agent string.
*/
public String getUserAgent()
{
return this.userAgent;
}
/**
* Gets the reason for blocking the request.
*
* @return A message or reason for blocking the request.
*/
public String getReason()
{
return this.reason;
}
}
FirewallInterceptor.java
在Spring Security过滤器运行之后(即,在AnnotatingHttpFirewall标记了应拒绝的请求之后)将调用此拦截器。此拦截器将检测请求上的那些标志(属性),并引发我们的错误控制器可以处理的自定义异常。
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
/**
* Intercepts requests that were flagged as rejected by the firewall.
*/
public final class FirewallInterceptor implements HandlerInterceptor
{
/**
* Default constructor.
*/
public FirewallInterceptor()
{
return;
}
@Override
public boolean preHandle(final HttpServletRequest request, final HttpServletResponse response, final Object handler) throws Exception
{
if (Boolean.TRUE.equals(request.getAttribute(AnnotatingHttpFirewall.HTTP_HEADER_REQUEST_REJECTED)))
{
// Throw a custom exception that can be handled by a custom error controller.
final String reason = (String) request.getAttribute(AnnotatingHttpFirewall.HTTP_HEADER_REQUEST_REJECTED_REASON);
throw new RequestRejectedByFirewallException(request.getRequestURL().toString(), request.getRemoteAddr(), request.getHeader(HttpHeaders.USER_AGENT), reason);
}
return true; // Allow the request to proceed normally.
}
@Override
public void postHandle(final HttpServletRequest request, final HttpServletResponse response, final Object handler, final ModelAndView modelAndView) throws Exception
{
return;
}
@Override
public void afterCompletion(final HttpServletRequest request, final HttpServletResponse response, final Object handler, final Exception ex) throws Exception
{
return;
}
}
WebConfig.java
在中WebConfig,将添加FirewallInterceptor到注册表。
@EnableWebMvc
public class WebConfig extends WebMvcConfigurerAdapter
{
/**
* Among your other methods in this class, make sure you register
* your Interceptor.
*/
@Override
public void addInterceptors(final InterceptorRegistry registry)
{
// Register firewall interceptor for all URLs in webapp.
registry.addInterceptor(new FirewallInterceptor()).addPathPatterns("/**");
return;
}
}
ErrorController.java
这将专门处理上述自定义异常,并在记录所有相关信息并为自定义应用程序防火墙调用任何特殊的业务逻辑时,为客户端生成一个干净的错误页面。
import java.io.IOException;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.springframework.web.servlet.NoHandlerFoundException;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.ResponseStatus;
import RequestBlockedException;
@ControllerAdvice
public final class ErrorController
{
/**
* Logger.
*/
private static final Logger LOGGER = Logger.getLogger(ErrorController.class.getName());
/**
* Generates an Error page by intercepting exceptions generated from AnnotatingHttpFirewall.
*
* @param request The original HTTP request.
* @param ex A RequestBlockedException exception.
* @return The tile definition name for the page.
*/
@ExceptionHandler(RequestBlockedException.class)
@ResponseStatus(HttpStatus.BAD_REQUEST)
public String handleRequestBlockedException(final RequestBlockedException ex)
{
if (LOGGER.isLoggable(Level.WARNING))
{
LOGGER.log(Level.WARNING, "Rejected request from " + ex.getRemoteAddress() + " for [" + ex.getRequestUrl() + "]. Reason: " + ex.getReason());
}
// Note: Perform any additional business logic or logging here.
return "errorPage"; // Returns a nice error page with the specified status code.
}
/**
* Generates a Page Not Found page.
*
* @param ex A NoHandlerFound exception.
* @return The tile definition name for the page.
*/
@ExceptionHandler(NoHandlerFoundException.class)
@ResponseStatus(HttpStatus.NOT_FOUND)
public String handleException(final NoHandlerFoundException ex)
{
return "notFoundPage";
}
}
防火墙控制器
具有默认映射并抛出的控制器NoHandlerFoundException。这规避了DispatcherServlet.noHandlerFound中的先有其后的策略,从而使该方法始终可以找到映射,以便FirewallInterceptor.preHandle始终对其进行调用。这使RequestRejectedByFirewallException优先NoHandlerFoundException。
为什么需要这样做:
如所提到的在这里,当NoHandlerFoundException从抛出DispatcherServlet(即,当一个请求的URL不具有相应的映射),也没有办法来处理从上面的防火墙生成的异常(NoHandlerFoundException被调用之前抛出preHandle() ,所以这些请求会)进入404视图(在我的情况下,这不是您想要的行为-您会看到很多“找不到使用URI的HTTP请求的映射...”消息)。这可以通过将特殊标头的检查移到noHandlerFound方法中来解决。不幸的是,如果没有从头开始编写新的Dispatcher Servlet,就无法做到这一点,那么您最好扔掉整个Spring框架。不可能扩展DispatcherServlet由于受保护的方法,私有方法和最终方法的混合使用,并且其属性不可访问(没有getter或setter)。也不能包装该类,因为没有可以实现的通用接口。此类中的默认映射提供了一种优雅的方式来规避所有这些逻辑。
重要警告:下面的RequestMapping将阻止解析静态资源,因为它优先于所有已注册的ResourceHandler。我仍在寻找解决方法,但是一种可能是尝试使用此答案中建议的处理静态资源的方法之一。
import org.springframework.http.HttpHeaders;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.ModelAttribute;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.servlet.NoHandlerFoundException;
@Controller
public final class FirewallController
{
/**
* The name of the model attribute (or request parameter for advertisement click tracking) that contains the request URL.
*/
protected static final String REQUEST_URL = "requestUrl";
/**
* The name of the model attribute that contains the request method.
*/
protected static final String REQUEST_METHOD = "requestMethod";
/**
* The name of the model attribute that contains all HTTP headers.
*/
protected static final String REQUEST_HEADERS = "requestHeaders";
/**
* Default constructor.
*/
public FirewallController()
{
return;
}
/**
* Populates the request URL model attribute from the HTTP request.
*
* @param request The HTTP request.
* @return The request URL.
*/
@ModelAttribute(REQUEST_URL)
public final String getRequestURL(final HttpServletRequest request)
{
return request.getRequestURL().toString();
}
/**
* Populates the request method from the HTTP request.
*
* @param request The HTTP request.
* @return The request method (GET, POST, HEAD, etc.).
*/
@ModelAttribute(REQUEST_METHOD)
public final String getRequestMethod(final HttpServletRequest request)
{
return request.getMethod();
}
/**
* Gets all headers from the HTTP request.
*
* @param request The HTTP request.
* @return The request headers.
*/
@ModelAttribute(REQUEST_HEADERS)
public final HttpHeaders getRequestHeaders(final HttpServletRequest request)
{
return FirewallController.headers(request);
}
/**
* A catch-all default mapping that throws a NoHandlerFoundException.
* This will be intercepted by the ErrorController, which allows preHandle to work normally.
*
* @param requestMethod The request method.
* @param requestUrl The request URL.
* @param requestHeaders The request headers.
* @throws NoHandlerFoundException every time this method is invoked.
*/
@RequestMapping(value = "/**") // NOTE: This prevents resolution of static resources. Still looking for a workaround for this.
public void getNotFoundPage(@ModelAttribute(REQUEST_METHOD) final String requestMethod, @ModelAttribute(REQUEST_URL) final String requestUrl, @ModelAttribute(REQUEST_HEADERS) final HttpHeaders requestHeaders) throws NoHandlerFoundException
{
throw new NoHandlerFoundException(requestMethod, requestUrl, requestHeaders);
}
/**
* Gets all headers from a HTTP request.
*
* @param request The HTTP request.
* @return The request headers.
*/
public static HttpHeaders headers(final HttpServletRequest request)
{
final HttpHeaders headers = new HttpHeaders();
for (Enumeration<?> names = request.getHeaderNames(); names.hasMoreElements();)
{
final String headerName = (String) names.nextElement();
for (Enumeration<?> headerValues = request.getHeaders(headerName); headerValues.hasMoreElements();)
{
headers.add(headerName, (String) headerValues.nextElement());
}
}
return headers;
}
}
结果
当这两个部分都起作用时,您将看到记录以下两个警告(第一个警告在Spring Security中,第二个警告在Spring Framework(Core)中ErrorController)。现在,您可以完全控制日志记录,并且可以根据需要调整可扩展的应用程序防火墙。
Sep 12, 2018 10:24:37 AM com.mycompany.spring.security.AnnotatingHttpFirewall getFirewalledRequest
WARNING: Intercepted org.springframework.security.web.firewall.RequestRejectedException: Remote Host: 0:0:0:0:0:0:0:1 User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 Request URL: http://localhost:8080/webapp-www-mycompany-com/login.php
Sep 12, 2018 10:24:37 AM com.mycompany.spring.controller.ErrorController handleException
WARNING: Rejected request from 0:0:0:0:0:0:0:1 for [http://localhost:8080/webapp-www-mycompany-com/login.php]. Reason: The request was rejected because it is a likely vulnerability scan.
| 归档时间: |
|
| 查看次数: |
6184 次 |
| 最近记录: |