- 问题:系统扫漏遇到js未授权访问漏洞
- 解决:通过过滤器来处理相关文件。(shiro框架)
系统拿不到session情况下,自己设置了个cookie来做处理。
拿得到session的可直接用户登录信息处理会更方便。
- .properties文件中配置。后期不需要时可直接通过配置处理
filter.logout.enable=true #是否开启
filter.cookie.name=is.login #cookie标志
- *shiro.xml配置修改
<!--<entry key="logout" value-ref="logoutFilter" />-->
<entry key="logout" value-ref="systemLogoutFilter" />
- SystemLogoutFilter继承LogoutFilter:退出重新设置cookie的值
import org.apache.shiro.web.filter.authc.LogoutFilter;
import org.springframework.stereotype.Service;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
/**
* @className: SystemLogoutFilter
* @description:
* @author: chenlf
*/
@Service
public class SystemLogoutFilter extends LogoutFilter {
@Override
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
//设置登录标志位false
HttpServletResponse res = (HttpServletResponse)response;
if (Global.TRUE.equals(Global.getConfig("filter.logout.enable"))) {
res.addCookie(new Cookie(Global.getConfig("filter.cookie.name"), "false"));
}
return super.preHandle(request, response);
}
}
- 登录成功或失败设置cookie的值
//登陆成功设置登录状态为true
if (Global.TRUE.equals(Global.getConfig("filter.logout.enable"))) {
CookieUtils.setCookie(response, Global.getConfig("filter.cookie.name"), Global.TRUE);
}
// 未设置登录状态为false
if (Global.TRUE.equals(Global.getConfig("filter.logout.enable"))) {
CookieUtils.setCookie(response, Global.getConfig("filter.cookie.name"), Global.FALSE);
}
- js过滤器对相关js进行判断处理
import javax.servlet.*;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
/**
* @className: FrontJsFilter
* @description:
* @author: chenlf
*/
public class FrontJsFilter implements Filter {
private static final String URL_END = ".js";
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse res = (HttpServletResponse)response;
String requestURL = req.getRequestURL().toString();
if(Global.TRUE.equals(Global.getConfig("filter.logout.enable"))){
if(requestURL != null && (requestURL.endsWith(URL_END))){
Cookie[] cookies =((HttpServletRequest)request).getCookies();
List<String> cookieNames = new ArrayList<>();
for (Cookie cookie:cookies) {
cookieNames.add(cookie.getName());
//包含登录标志且标志位false
if (cookie.getName().equals(Global.getConfig("filter.cookie.name"))&& Global.FALSE.equals(cookie.getValue())){
res.sendRedirect(req.getContextPath() + Global.getConfig("adminPath") + "/login");
return ;
}
}
//不包含登录标志
if (!cookieNames.contains(Global.getConfig("filter.cookie.name"))) {
res.sendRedirect(req.getContextPath() + "/login");
return ;
}
}
}
try {
chain.doFilter(request, response);
} catch (Exception e) {
e.printStackTrace();
}
}
@Override
public void destroy() {
}
}
web.xml
<filter>
<filter-name>frontJsFilter</filter-name>
<filter-class>com.XXX.filter.FrontJsFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>frontJsFilter</filter-name>
<url-pattern>/static/xx/*.js</url-pattern>
</filter-mapping>