经集团安全部扫描系统存在未授权可以获取接口信息
系统改造如下:
总体方案: 添加拦截器,进行接口的请求状态的拦截判断(登录/注册等请求进行拦截排除)
版本一
系统pom文件spring-mvc版本不变的情况下,配置properties对请求拦截排除
public class LoginStatusInterceptor implements HandlerInterceptor {
private static final StructLogger logger = StructLogger.getLogger(LoginStatusInterceptor.class);
private static final ResourceBundle res = ResourceBundle.getBundle("CommonResourse");
private static final List<String> loginStatusIgnore = Arrays.asList(res.getString("loginStatusIgnore").split(","));
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
request.setCharacterEncoding("UTF-8");
String url = request.getServletPath();
// logger.info(url);
if(StringUtils.isNotBlank(url)){
if (!CollectionUtils.isEmpty(loginStatusIgnore)){
if (loginStatusIgnore.contains(url)){
return true;
}
}
String seqno = (String)request.getSession().getAttribute("seqno");
if(StringUtils.isBlank(seqno)){
logger.info("----------------------interceptor 获取session的seqno为空");
return false;
}
}
return true;
}
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
}
@Override
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
}
}
在CommonResourse.properties添加请求拦截排除,配置拦截请求路径,多个请求用","分隔
#登录态忽略请求
loginStatusIgnore=/ehrlogin.htm,/ehrnologin.htm,/in/modehrpassword.htm,/getvalidcode.htm,/ehrregister.htm
springmvc拦截器配置
<!--配置拦截器, 多个拦截器,顺序执行 -->
<mvc:interceptors>
<mvc:interceptor>
<!-- 匹配的是url路径, 如果不配置或/**,将拦截所有的Controller -->
<mvc:mapping path="/**"/>
<bean class="com.intime.hr.interceptor.CSRFInterceptor"></bean>
</mvc:interceptor>
<!-- 当设置多个拦截器时,先按顺序调用preHandle方法,然后逆序调用每个拦截器的postHandle和afterCompletion方法 -->
<mvc:interceptor>
<mvc:mapping path="/**"/>
<bean class="com.intime.hr.interceptor.LoginStatusInterceptor"></bean>
</mvc:interceptor>
</mvc:interceptors>
------------------------------------------------------------------------------------------------------------------------------------
版本二
系统pom文件spring-mvc版本更新至3.2及以上,用mvc标签排除拦截的请求(排除标签3.2版本开始支持)
public class LoginStatusInterceptor implements HandlerInterceptor {
private static final StructLogger logger = StructLogger.getLogger(LoginStatusInterceptor.class);
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
request.setCharacterEncoding("UTF-8");
String url = request.getServletPath();
// logger.info(url);
if(StringUtils.isNotBlank(url)){
String seqno = (String)request.getSession().getAttribute("seqno");
if(StringUtils.isBlank(seqno)){
logger.info("----------------------interceptor 获取session的seqno为空");
return false;
}
}
return true;
}
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
}
@Override
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
}
}
springmvc拦截器配置
<!--配置拦截器, 多个拦截器,顺序执行 -->
<mvc:interceptors>
<mvc:interceptor>
<!-- 匹配的是url路径, 如果不配置或/**,将拦截所有的Controller -->
<mvc:mapping path="/**"/>
<bean class="com.intime.hr.interceptor.CSRFInterceptor"></bean>
</mvc:interceptor>
<!-- 当设置多个拦截器时,先按顺序调用preHandle方法,然后逆序调用每个拦截器的postHandle和afterCompletion方法 -->
<mvc:interceptor>
<mvc:mapping path="/**"/>
<mvc:exclude-mapping path="/ehrlogin.htm"/>
<mvc:exclude-mapping path="/ehrnologin.htm"/>
<mvc:exclude-mapping path="/ehrregister.htm"/>
<bean class="com.intime.hr.interceptor.LoginStatusInterceptor"></bean>
</mvc:interceptor>
</mvc:interceptors>
改完检查:
1.未登录是否可以获取接口信息
2排除拦截请求是否生效