spring引导未阻止对端点的请求

vx6bjr1n  于 2021-07-22  发布在  Java
关注(0)|答案(1)|浏览(296)

我对Spring Boot有意见。我试图阻止一个特定的端点 /users/name/ 但是当我在httpsecurity上配置它时,我仍然可以调用端点。我需要阻止这个特定的端点下面是我的代码。

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class AuthConfigClass extends 
WebSecurityConfigurerAdapter{
    @Override
    protected void configure(HttpSecurity http) throws Exception {      
        http.antMatcher("/**").authorizeRequests().antMatchers("/users/name/").permitAll()
        .anyRequest().authenticated().and().httpBasic();
        }
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
    {
        auth.inMemoryAuthentication().withUser("admin")
        .password("{noop}password").roles("USER");
    }
}

这是控制器。请注意,这个应用程序的目的是使它容易受到攻击,如owasp顶级api,所以不要担心安全问题,请强硬我接受建议。

@Api(value="Users Endpoint and maintenance only for prvileged users")
@RequestMapping("/users")
public class RestControllerMain {

    private final  UserRespository userRespository;
    @Autowired
    public RestControllerMain(UserRespository userRespository) {
        this.userRespository = userRespository;
    }
    //Excessive Data Exposure OWASP TOP 10 

    @RequestMapping(value="/", method=RequestMethod.GET)
    public Iterable<User> getAllUsers() {
        return userRespository.findAll();
    }

    @RequestMapping(value="/", method=RequestMethod.POST)
    public void UserInsert(@RequestBody User user) {
        userRespository.save(user);
    }
    //null pointer exception and SQL injection OWASP TOP 10 API.
    @RequestMapping(value="/name/{user}", method=RequestMethod.GET)
    public String mainUser(@PathVariable ("user")String username) {
        if(!username.matches("/[\\t\\r\\n]|(--[^\\r\\n]*)|(\\/\\*[\\w\\W]*?(?=\\*)\\*\\/)/gi\n" )) {
        return "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘‘VALUE’’.";
        }
        return "SQL Injection not found";
        }
    //XSS Also in the OWASP TOP API.
    @RequestMapping(value="/search", method=RequestMethod.GET)
    public String getMeUSer(@RequestBody User user) {
    return "Nice to meet you" + user.getName();
    }
    // OWASP TOP 10 API. Broken Object Level
    @RequestMapping(value="/{id}")
    public Optional<User> getUserById(@PathVariable Long id) {  
        return userRespository.findById(id);
    }
}

请帮我弄清楚,我是按照一个教程来的。

ftf50wuq

ftf50wuq1#

据我所知,您需要对“users/name/{user}”端点进行身份验证,但您的配置状态是

.antMatchers("/users/name/")

但它应该是

.antMatchers("/users/name/**")

其中“**”表示任何匹配模式。但是如果您想在检查特权之后授予访问权,如您在控制器的描述中所述,您应该配置spring的授权并添加

@Secured("ROLE_VIEWER, ROLE_ADMIN")

在服务或控制器方法之前,它将阻止任何没有这些角色的用户。

相关问题