Spring Security 如何在Spring中拦截RequestRejectedException?

q9yhzks0  于 2023-02-04  发布在  Spring
关注(0)|答案(9)|浏览(635)

我在Tomcat日志中看到 * 大量 * RequestRejectedException条目(示例粘贴在下面)。这些开始出现在我的日志文件后,一个次要版本升级(Spring Security 4.2.4,IIRC),所以这显然是Spring中默认启用的一个新的安全特性。一个类似的问题是reported here,但我的问题特别涉及到如何在控制器中拦截这些异常。有一个Spring Security bug记录了这个问题(Provide a way to handle RequestRejectedException)。然而,他们直到Spring 5.1才针对这个问题进行修复。
我理解why these exceptions are being thrown,我不想disable this security feature
我想获得对此功能的一些控制权,以便:
1.我知道我没有阻止合法用户访问我的网站。
1.我可以看到是什么请求触发了这种情况(它们是SQL注入攻击吗?)
1.我可以调整服务器响应。Spring Security防火墙将一个完整的堆栈跟踪转储到Web客户端(信息泄漏),沿着一个500 Internal Server Error(这是非常不正确的,这应该是一个400 Bad Request)。
我想找到一种方法来记录所请求的URL,但也要抑制专门针对这些异常的堆栈跟踪,因为它们污染了我的日志文件,却没有提供任何有用的信息。最理想的情况是,我想拦截这些异常并在应用程序层处理它们,而不是在Tomcat日志中报告它们。
例如,这是我的catalina.out中每天出现的数千条日志条目之一:

Aug 10, 2018 2:01:36 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [dispatcher] in context with path [] threw exception
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"
        at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:265)
        at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:245)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:193)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
        at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:486)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)

我在两天内看到了3,200多个这样的问题,它很快就成为我的catalina.out日志文件的最大贡献者,以至于它阻止了我看到其他合法的问题。而且从四月份开始它已经浪费了我几个小时的时间,我并不是说它不是一个重要的特性,只是默认的实现完全搞砸了,我想找到一种方法来获得对它的一些控制权,作为开发人员和系统管理员。
我在Spring中使用了一个自定义的错误控制器来拦截许多其他的异常类型(包括IOException),但是RequestRejectedException似乎由于某种原因而失败了。
这是我的ErrorController.java的相关部分,给予我们了解一下我想要完成的任务:

@ControllerAdvice
public final class ErrorController
{
    /**
     * Logger.
     */
    private static final Logger LOGGER = Logger.getLogger(ErrorController.class.getName());

    /**
     * Generates an Error page by intercepting exceptions generated from HttpFirewall.
     *
     * @param ex A RequestRejectedException exception.
     * @return The tile definition name for the page.
     */
    @ExceptionHandler(RequestRejectedException.class)
    @ResponseStatus(HttpStatus.BAD_REQUEST)
    public String handleRequestRejectedException(final HttpServletRequest request, final RequestRejectedException ex)
    {
        if (LOGGER.isLoggable(Level.INFO))
        {
            LOGGER.log(Level.INFO, "Request Rejected", ex);
        }

        LOGGER.log(Level.WARNING, "Rejected request for [" + request.getRequestURL().toString() + "]. Reason: " + ex.getMessage());
        return "errorPage";
    }

    /**
     * Generates a Server Error page.
     *
     * @param ex An exception.
     * @return The tile definition name for the page.
     */
    @ExceptionHandler(Exception.class)
    @ResponseStatus(HttpStatus.INTERNAL_SERVER_ERROR)
    public String handleException(final Exception ex)
    {
        if (LOGGER.isLoggable(Level.SEVERE))
        {
            LOGGER.log(Level.SEVERE, "Server Error", ex);
        }

        return "errorPage";
    }
}

此错误控制器适用于许多异常。例如,它成功地拦截了以下IllegalStateException

Aug 05, 2018 7:50:30 AM com.mycompany.spring.controller.ErrorController handleException
SEVERE: Server Error
java.lang.IllegalStateException: Cannot create a session after the response has been committed
        at org.apache.catalina.connector.Request.doGetSession(Request.java:2999)
...

但是,这不会拦截RequestRejectedException(如上面第一个日志示例中缺少“Server Error”所示)。
如何在错误控制器中拦截RequestRejectedException

kqlmhetl

kqlmhetl1#

它也可以由一个简单的滤波器处理,这将导致404错误响应

@Component
@Slf4j
@Order(Ordered.HIGHEST_PRECEDENCE)
public class LogAndSuppressRequestRejectedExceptionFilter extends GenericFilterBean {

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        try {
            chain.doFilter(req, res);
        } catch (RequestRejectedException e) {
            HttpServletRequest request = (HttpServletRequest) req;
            HttpServletResponse response = (HttpServletResponse) res;

            log
                .warn(
                        "request_rejected: remote={}, user_agent={}, request_url={}",
                        request.getRemoteHost(),  
                        request.getHeader(HttpHeaders.USER_AGENT),
                        request.getRequestURL(), 
                        e
                );

            response.sendError(HttpServletResponse.SC_NOT_FOUND);
        }
    }
}
tkclm6bt

tkclm6bt2#

对于Spring安全性版本5.4和更高版本,您可以简单地创建一个类型为RequestRejectedHandler的bean,该bean将被注入到Spring安全性过滤器链中

import org.springframework.security.web.firewall.RequestRejectedHandler;
import org.springframework.security.web.firewall.HttpStatusRequestRejectedHandler;

@Bean
RequestRejectedHandler requestRejectedHandler() {
   // sends an error response with a configurable status code (default is 400 BAD_REQUEST)
   // we can pass a different value in the constructor
   return new HttpStatusRequestRejectedHandler();
}
uqxowvwt

uqxowvwt3#

我实现了StrictHttpFirewall的一个子类,它将请求信息记录到控制台,并抛出一个新的异常,并抑制堆栈跟踪,这部分地解决了我的问题(至少我现在可以看到坏的请求)。
如果您只想看到被拒绝的请求而不想看到堆栈跟踪,那么这就是您要寻找的答案。
如果您想在控制器中处理这些异常,请参考accepted answer以获得完整(但稍微复杂一些)的解决方案。

    • 日志记录HttpFirewall. java**

此类扩展StrictHttpFirewall以捕获RequestRejectedException,并引发一个新的异常,其中包含来自请求的元数据和隐藏的堆栈跟踪。

import java.util.logging.Level;
import java.util.logging.Logger;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.web.firewall.FirewalledRequest;
import org.springframework.security.web.firewall.RequestRejectedException;
import org.springframework.security.web.firewall.StrictHttpFirewall;

/**
 * Overrides the StrictHttpFirewall to log some useful information about blocked requests.
 */
public final class LoggingHttpFirewall extends StrictHttpFirewall
{
    /**
     * Logger.
     */
    private static final Logger LOGGER = Logger.getLogger(LoggingHttpFirewall.class.getName());

    /**
     * Default constructor.
     */
    public LoggingHttpFirewall()
    {
        super();
        return;
    }

    /**
     * Provides the request object which will be passed through the filter chain.
     *
     * @returns A FirewalledRequest (required by the HttpFirewall interface) which
     *          inconveniently breaks the general contract of ServletFilter because
     *          we can't upcast this to an HttpServletRequest. This prevents us
     *          from re-wrapping this using an HttpServletRequestWrapper.
     * @throws RequestRejectedException if the request should be rejected immediately.
     */
    @Override
    public FirewalledRequest getFirewalledRequest(final HttpServletRequest request) throws RequestRejectedException
    {
        try
        {
            return super.getFirewalledRequest(request);
        } catch (RequestRejectedException ex) {
            if (LOGGER.isLoggable(Level.WARNING))
            {
                LOGGER.log(Level.WARNING, "Intercepted RequestBlockedException: Remote Host: " + request.getRemoteHost() + " User Agent: " + request.getHeader("User-Agent") + " Request URL: " + request.getRequestURL().toString());
            }

            // Wrap in a new RequestRejectedException with request metadata and a shallower stack trace.
            throw new RequestRejectedException(ex.getMessage() + ".\n Remote Host: " + request.getRemoteHost() + "\n User Agent: " + request.getHeader("User-Agent") + "\n Request URL: " + request.getRequestURL().toString())
            {
                private static final long serialVersionUID = 1L;

                @Override
                public synchronized Throwable fillInStackTrace()
                {
                    return this; // suppress the stack trace.
                }
            };
        }
    }

    /**
     * Provides the response which will be passed through the filter chain.
     * This method isn't extensible because the request may already be committed.
     * Furthermore, this is only invoked for requests that were not blocked, so we can't
     * control the status or response for blocked requests here.
     *
     * @param response The original HttpServletResponse.
     * @return the original response or a replacement/wrapper.
     */
    @Override
    public HttpServletResponse getFirewalledResponse(final HttpServletResponse response)
    {
        // Note: The FirewalledResponse class is not accessible outside the package.
        return super.getFirewalledResponse(response);
    }
}
    • 网络安全配置. java**

WebSecurityConfig中,将HTTP防火墙设置为LoggingHttpFirewall

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
    /**
     * Default constructor.
     */
    public WebSecurityConfig()
    {
        super();
        return;
    }

    @Override
    public final void configure(final WebSecurity web) throws Exception
    {
        super.configure(web);
        web.httpFirewall(new LoggingHttpFirewall()); // Set the custom firewall.
        return;
    }
}
    • 结果**

在将这个解决方案部署到生产环境中之后,我很快发现StrictHttpFirewall的默认行为是阻止Google索引我的站点!

Aug 13, 2018 1:48:56 PM com.mycompany.spring.security.AnnotatingHttpFirewall getFirewalledRequest
WARNING: Intercepted RequestBlockedException: Remote Host: 66.249.64.223 User Agent: Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Request URL: https://www.mycompany.com/10.1601/tx.3784;jsessionid=692804549F9AB55F45DBD0AFE2A97FFD

当我发现这一点时,我很快部署了一个新版本(包含在my other answer中),它查找;jsessionid=并允许这些请求通过,很可能还有其他请求也应该通过,现在我有了检测这些请求的方法。

ffx8fchx

ffx8fchx4#

结果表明,尽管HttpFirewallStrictHttpFirewall包含几个设计错误(记录在下面的代码中),几乎不可能逃脱Spring Security的 * One True Firewall ,并通过request属性将HttpFirewall信息传送到HandlerInterceptorHandlerInterceptor可以将这些标记的请求传递到 * Real (持久的)防火墙,而不牺牲最初标记它们的原始业务逻辑。这里所描述的方法应该是经得起未来考验的,因为它符合来自HttpFirewall接口的简单约定,剩下的就是核心Spring框架和JavaServlet API。
这实际上是my earlier answer的一个更复杂但更完整的替代方案。在这个答案中,我实现了StrictHttpFirewall的一个新子类,它在特定的日志记录级别拦截和记录被拒绝的请求,但也向HTTP请求添加了一个属性,用于标记它以供下游过滤器使用此外,这个AnnotatingHttpFirewall提供了一个inspect()方法,允许子类添加阻塞请求的自定义规则。
此解决方案分为两部分:(1)
Spring Security * 和(2)
Spring Framework(核心)*,因为这是首先导致此问题的分歧,这显示了如何弥合它。
作为参考,这在Spring 4. 3. 17和Spring Security 4. 2. 6上进行了测试。Spring 5. 1发布时可能会有重大变化。

    • 第1部分:Spring Security**

这是在Spring Security中执行日志记录和标记的解决方案的一半。

    • 注解HttpFirewall. java**
import java.util.logging.Level;
import java.util.logging.Logger;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.web.firewall.FirewalledRequest;
import org.springframework.security.web.firewall.RequestRejectedException;
import org.springframework.security.web.firewall.StrictHttpFirewall;

/**
 * Overrides the StrictHttpFirewall to log some useful information about blocked requests.
 */
public class AnnotatingHttpFirewall extends StrictHttpFirewall
{
    /**
     * The name of the HTTP header representing a request that has been rejected by this firewall.
     */
    public static final String HTTP_HEADER_REQUEST_REJECTED_FLAG = "X-HttpFirewall-RequestRejectedFlag";

    /**
     * The name of the HTTP header representing the reason a request has been rejected by this firewall.
     */
    public static final String HTTP_HEADER_REQUEST_REJECTED_REASON = "X-HttpFirewall-RequestRejectedReason";

    /**
     * Logger.
     */
    private static final Logger LOGGER = Logger.getLogger(AnnotatingHttpFirewall.class.getName());

    /**
     * Default constructor.
     */
    public AnnotatingHttpFirewall()
    {
        super();
        return;
    }

    /**
     * Provides the request object which will be passed through the filter chain.
     *
     * @param request The original HttpServletRequest.
     * @returns A FirewalledRequest (required by the HttpFirewall interface) which
     *          inconveniently breaks the general contract of ServletFilter because
     *          we can't upcast this to an HttpServletRequest. This prevents us
     *          from re-wrapping this using an HttpServletRequestWrapper.
     */
    @Override
    public FirewalledRequest getFirewalledRequest(final HttpServletRequest request)
    {
        try
        {
            this.inspect(request); // Perform any additional checks that the naive "StrictHttpFirewall" misses.
            return super.getFirewalledRequest(request);
        } catch (RequestRejectedException ex) {
            final String requestUrl = request.getRequestURL().toString();

            // Override some of the default behavior because some requests are
            // legitimate.
            if (requestUrl.contains(";jsessionid="))
            {
                // Do not block non-cookie serialized sessions. Google's crawler does this often.
            } else {
                // Log anything that is blocked so we can find these in the catalina.out log.
                // This will give us any information we need to make
                // adjustments to these special cases and see potentially
                // malicious activity.
                if (LOGGER.isLoggable(Level.WARNING))
                {
                    LOGGER.log(Level.WARNING, "Intercepted RequestBlockedException: Remote Host: " + request.getRemoteHost() + " User Agent: " + request.getHeader("User-Agent") + " Request URL: " + request.getRequestURL().toString());
                }

                // Mark this request as rejected.
                request.setAttribute(HTTP_HEADER_REQUEST_REJECTED, Boolean.TRUE);
                request.setAttribute(HTTP_HEADER_REQUEST_REJECTED_REASON, ex.getMessage());
            }

            // Suppress the RequestBlockedException and pass the request through
            // with the additional attribute.
            return new FirewalledRequest(request)
            {
                @Override
                public void reset()
                {
                    return;
                }
            };
        }
    }

    /**
     * Provides the response which will be passed through the filter chain.
     * This method isn't extensible because the request may already be committed.
     * Furthermore, this is only invoked for requests that were not blocked, so we can't
     * control the status or response for blocked requests here.
     *
     * @param response The original HttpServletResponse.
     * @return the original response or a replacement/wrapper.
     */
    @Override
    public HttpServletResponse getFirewalledResponse(final HttpServletResponse response)
    {
        // Note: The FirewalledResponse class is not accessible outside the package.
        return super.getFirewalledResponse(response);
    }

    /**
     * Perform any custom checks on the request.
     * This method may be overridden by a subclass in order to supplement or replace these tests.
     *
     * @param request The original HttpServletRequest.
     * @throws RequestRejectedException if the request should be rejected immediately.
     */
    public void inspect(final HttpServletRequest request) throws RequestRejectedException
    {
        final String requestUri = request.getRequestURI(); // path without parameters
//        final String requestUrl = request.getRequestURL().toString(); // full path with parameters

        if (requestUri.endsWith("/wp-login.php"))
        {
            throw new RequestRejectedException("The request was rejected because it is a vulnerability scan.");
        }

        if (requestUri.endsWith(".php"))
        {
            throw new RequestRejectedException("The request was rejected because it is a likely vulnerability scan.");
        }

        return; // The request passed all custom tests.
    }
}
    • 网络安全配置. java**

WebSecurityConfig中,将HTTP防火墙设置为AnnotatingHttpFirewall

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
    /**
     * Default constructor.
     */
    public WebSecurityConfig()
    {
        super();
        return;
    }

    @Override
    public final void configure(final WebSecurity web) throws Exception
    {
        super.configure(web);
        web.httpFirewall(new AnnotatingHttpFirewall()); // Set the custom firewall.
        return;
    }
}
    • 第2部分:Spring框架**

这个解决方案的第二部分可以实现为ServletFilterHandlerInterceptor,我选择HandlerInterceptor,因为它似乎提供了最大的灵活性,并且可以直接在Spring框架中工作。

    • 请求阻塞异常. java**

此自定义异常可由错误控制器处理。这可被扩展以添加可从原始请求(甚至完整请求本身)获得的可能与应用业务逻辑(例如,持久防火墙)相关的任何请求标头、参数或属性。

/**
 * A custom exception for situations where a request is blocked or rejected.
 */
public class RequestBlockedException extends RuntimeException
{
    private static final long serialVersionUID = 1L;

    /**
     * The requested URL.
     */
    private String requestUrl;

    /**
     * The remote address of the client making the request.
     */
    private String remoteAddress;

    /**
     * A message or reason for blocking the request.
     */
    private String reason;

    /**
     * The user agent supplied by the client the request.
     */
    private String userAgent;

    /**
     * Creates a new Request Blocked Exception.
     *
     * @param reqUrl The requested URL.
     * @param remoteAddr The remote address of the client making the request.
     * @param userAgent The user agent supplied by the client making the request.
     * @param message A message or reason for blocking the request.
     */
    public RequestBlockedException(final String reqUrl, final String remoteAddr, final String userAgent, final String message)
    {
        this.requestUrl = reqUrl;
        this.remoteAddress = remoteAddr;
        this.userAgent = userAgent;
        this.reason = message;
        return;
    }

    /**
     * Gets the requested URL.
     *
     * @return A URL.
     */
    public String getRequestUrl()
    {
        return this.requestUrl;
    }

    /**
     * Gets the remote address of the client making the request.
     *
     * @return A remote address.
     */
    public String getRemoteAddress()
    {
        return this.remoteAddress;
    }

    /**
     * Gets the user agent supplied by the client making the request.
     *
     * @return  A user agent string.
     */
    public String getUserAgent()
    {
        return this.userAgent;
    }

    /**
     * Gets the reason for blocking the request.
     *
     * @return  A message or reason for blocking the request.
     */
    public String getReason()
    {
        return this.reason;
    }
}
    • 防火墙拦截器. java**

这个拦截器在Spring Security过滤器运行之后被调用(例如,在AnnotatingHttpFirewall标记了应该被拒绝的请求之后)。这个拦截器检测请求上的那些标记(属性),并引发我们的错误控制器可以处理的自定义异常。

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;

/**
 * Intercepts requests that were flagged as rejected by the firewall.
 */
public final class FirewallInterceptor implements HandlerInterceptor
{
    /**
     * Default constructor.
     */
    public FirewallInterceptor()
    {
        return;
    }

    @Override
    public boolean preHandle(final HttpServletRequest request, final HttpServletResponse response, final Object handler) throws Exception
    {
        if (Boolean.TRUE.equals(request.getAttribute(AnnotatingHttpFirewall.HTTP_HEADER_REQUEST_REJECTED)))
        {
            // Throw a custom exception that can be handled by a custom error controller.
            final String reason = (String) request.getAttribute(AnnotatingHttpFirewall.HTTP_HEADER_REQUEST_REJECTED_REASON);
            throw new RequestRejectedByFirewallException(request.getRequestURL().toString(), request.getRemoteAddr(), request.getHeader(HttpHeaders.USER_AGENT), reason);
        }

        return true; // Allow the request to proceed normally.
    }

    @Override
    public void postHandle(final HttpServletRequest request, final HttpServletResponse response, final Object handler, final ModelAndView modelAndView) throws Exception
    {
        return;
    }

    @Override
    public void afterCompletion(final HttpServletRequest request, final HttpServletResponse response, final Object handler, final Exception ex) throws Exception
    {
        return;
    }
}
    • 网络配置. java**

WebConfig中,将FirewallInterceptor添加到注册表中。

@EnableWebMvc
public class WebConfig extends WebMvcConfigurerAdapter
{
    /**
     * Among your other methods in this class, make sure you register
     * your Interceptor.
     */
    @Override
    public void addInterceptors(final InterceptorRegistry registry)
    {
        // Register firewall interceptor for all URLs in webapp.
        registry.addInterceptor(new FirewallInterceptor()).addPathPatterns("/**");
        return;
    }
}
    • 错误控制器. java**

这专门处理上面的自定义异常,并为客户端生成一个干净的错误页面,同时记录所有相关信息,并为自定义应用程序防火墙调用任何特殊的业务逻辑。

import java.io.IOException;
import java.util.logging.Level;
import java.util.logging.Logger;

import org.springframework.web.servlet.NoHandlerFoundException;

import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.ResponseStatus;

import RequestBlockedException;

@ControllerAdvice
public final class ErrorController
{
    /**
     * Logger.
     */
    private static final Logger LOGGER = Logger.getLogger(ErrorController.class.getName());

    /**
     * Generates an Error page by intercepting exceptions generated from AnnotatingHttpFirewall.
     *
     * @param request The original HTTP request.
     * @param ex A RequestBlockedException exception.
     * @return The tile definition name for the page.
     */
    @ExceptionHandler(RequestBlockedException.class)
    @ResponseStatus(HttpStatus.BAD_REQUEST)
    public String handleRequestBlockedException(final RequestBlockedException ex)
    {
        if (LOGGER.isLoggable(Level.WARNING))
        {
            LOGGER.log(Level.WARNING, "Rejected request from " + ex.getRemoteAddress() + " for [" + ex.getRequestUrl() + "]. Reason: " + ex.getReason());
        }

        // Note: Perform any additional business logic or logging here.

        return "errorPage"; // Returns a nice error page with the specified status code.
    }

    /**
     * Generates a Page Not Found page.
     *
     * @param ex A NoHandlerFound exception.
     * @return The tile definition name for the page.
     */
    @ExceptionHandler(NoHandlerFoundException.class)
    @ResponseStatus(HttpStatus.NOT_FOUND)
    public String handleException(final NoHandlerFoundException ex)
    {
        return "notFoundPage";
    }
}
    • 防火墙控制器. java**

一个具有默认Map的控制器,它抛出一个NoHandlerFoundException。这绕过了DispatcherServlet.noHandlerFound中的先有鸡还是先有蛋的策略,允许该方法 * 总是 * 找到一个Map,以便总是调用FirewallInterceptor.preHandle。这使RequestRejectedByFirewallException优先于NoHandlerFoundException
为什么需要这样做:
如前所述,当从DispatcherServlet抛出NoHandlerFoundException时(即,当请求的URL没有对应的Map时),无法处理从上述防火墙生成的异常(在调用preHandle()之前抛出NoHandlerFoundException),所以这些请求会被你的404浏览器拒绝(在我的例子中,这并不是所期望的行为--您将看到许多"找不到带URI的HTTP请求的Map......"消息)。这可以通过将特殊头的检查移到noHandlerFound方法中来解决。不幸的是,如果不从头开始编写一个新的DispatcherServlet,就没有办法做到这一点,然后您还不如扔掉整个Spring框架。由于protected、private和final方法,以及它的属性不可访问(没有getter或setter)的事实。 Package 类也是不可能的,因为没有可以实现的公共接口。该类中的默认Map提供了一种优雅的方式来绕过所有这些逻辑。

    • 重要警告**:下面的RequestMapping将阻止静态资源的解析,因为它优先于所有注册的ResourceHandlers。我仍在寻找解决方法,但一种可能性是尝试this answer中建议的处理静态资源的方法之一。
import org.springframework.http.HttpHeaders;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.ModelAttribute;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.servlet.NoHandlerFoundException;

@Controller
public final class FirewallController
{
    /**
     * The name of the model attribute (or request parameter for advertisement click tracking) that contains the request URL.
     */
    protected static final String REQUEST_URL = "requestUrl";

    /**
     * The name of the model attribute that contains the request method.
     */
    protected static final String REQUEST_METHOD = "requestMethod";

    /**
     * The name of the model attribute that contains all HTTP headers.
     */
    protected static final String REQUEST_HEADERS = "requestHeaders";

    /**
     * Default constructor.
     */
    public FirewallController()
    {
        return;
    }

    /**
     * Populates the request URL model attribute from the HTTP request.
     *
     * @param request The HTTP request.
     * @return The request URL.
     */
    @ModelAttribute(REQUEST_URL)
    public final String getRequestURL(final HttpServletRequest request)
    {
        return request.getRequestURL().toString();
    }

    /**
     * Populates the request method from the HTTP request.
     *
     * @param request The HTTP request.
     * @return The request method (GET, POST, HEAD, etc.).
     */
    @ModelAttribute(REQUEST_METHOD)
    public final String getRequestMethod(final HttpServletRequest request)
    {
        return request.getMethod();
    }

    /**
     * Gets all headers from the HTTP request.
     *
     * @param request The HTTP request.
     * @return The request headers.
     */
    @ModelAttribute(REQUEST_HEADERS)
    public final HttpHeaders getRequestHeaders(final HttpServletRequest request)
    {
        return FirewallController.headers(request);
    }

    /**
     * A catch-all default mapping that throws a NoHandlerFoundException.
     * This will be intercepted by the ErrorController, which allows preHandle to work normally.
     *
     * @param requestMethod The request method.
     * @param requestUrl The request URL.
     * @param requestHeaders The request headers.
     * @throws NoHandlerFoundException every time this method is invoked.
     */
    @RequestMapping(value = "/**") // NOTE: This prevents resolution of static resources. Still looking for a workaround for this.
    public void getNotFoundPage(@ModelAttribute(REQUEST_METHOD) final String requestMethod, @ModelAttribute(REQUEST_URL) final String requestUrl, @ModelAttribute(REQUEST_HEADERS) final HttpHeaders requestHeaders) throws NoHandlerFoundException
    {
        throw new NoHandlerFoundException(requestMethod, requestUrl, requestHeaders);
    }

    /**
     * Gets all headers from a HTTP request.
     *
     * @param request The HTTP request.
     * @return The request headers.
     */
    public static HttpHeaders headers(final HttpServletRequest request)
    {
        final HttpHeaders headers = new HttpHeaders();

        for (Enumeration<?> names = request.getHeaderNames(); names.hasMoreElements();)
        {
            final String headerName = (String) names.nextElement();

            for (Enumeration<?> headerValues = request.getHeaders(headerName); headerValues.hasMoreElements();)
            {
                headers.add(headerName, (String) headerValues.nextElement());
            }
        }

        return headers;
    }
}
    • 结果**

当这两个部分都正常工作时,您将看到以下两个警告记录(第一个在Spring Security中,第二个在Spring Framework(Core)ErrorController中)。现在您可以完全控制日志记录,并且可以根据需要调整可扩展的应用程序防火墙。

Sep 12, 2018 10:24:37 AM com.mycompany.spring.security.AnnotatingHttpFirewall getFirewalledRequest
WARNING: Intercepted org.springframework.security.web.firewall.RequestRejectedException: Remote Host: 0:0:0:0:0:0:0:1 User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 Request URL: http://localhost:8080/webapp-www-mycompany-com/login.php
Sep 12, 2018 10:24:37 AM com.mycompany.spring.controller.ErrorController handleException
WARNING: Rejected request from 0:0:0:0:0:0:0:1 for [http://localhost:8080/webapp-www-mycompany-com/login.php]. Reason: The request was rejected because it is a likely vulnerability scan.
6ovsh4lw

6ovsh4lw5#

另一种处理方法是使用SpringAOP,我们可以创建一个关于FilterChainProxy.doFilter()方法的通知,该方法捕获HttpFirewall抛出的任何RequestRejectedException(s),并将其转换为400BAD_REQUEST

@Aspect
@Component
public class FilterChainProxyAdvice {

    @Around("execution(public void org.springframework.security.web.FilterChainProxy.doFilter(..))")
    public void handleRequestRejectedException (ProceedingJoinPoint pjp) throws Throwable {
        try {
            pjp.proceed();
        } catch (RequestRejectedException exception) {
            HttpServletResponse response = (HttpServletResponse) pjp.getArgs()[1]);
            response.sendError(HttpServletResponse.SC_BAD_REQUEST);
        }
    }
}
bis0qfac

bis0qfac6#

我在最近的github变更中看到了一些可行的解决方案
如果你注册了RequestRejectedHandler类型的bean,它应该可以工作,或者正如我所看到的,在WebSecurityConfigurerAdapter中也会有一个通过WebSecurity的集成。不幸的是,这个更改可能没有包含在使用依赖管理的2.3.3.RELEASE中。它应该出现在Spring Security Config 5.4.0-M1中。对于依赖管理,它是版本2.4.0-M1。
迟早,遇到这个答案的人应该会在标准版本中看到这个变化。

xoshrz7s

xoshrz7s7#

在springsecurity5.7.6中,我可以使用此代码记录错误并重定向到404页面

@Bean
public RequestRejectedHandler requestRejectedHandler() {
    HttpStatusRequestRejectedHandler rejectedHandler = new HttpStatusRequestRejectedHandler() {
        @Override
        public void handle(HttpServletRequest request, HttpServletResponse response, RequestRejectedException requestRejectedException) throws IOException {
            log.info(requestRejectedException.getMessage() + " for " + request.getRequestURL());
            response.sendRedirect("/404");
        }
    };
    return rejectedHandler;
}
hrysbysz

hrysbysz8#

一种非常简单的方法是使用web.xml;在文件中指定错误页:

<error-page>
  <exception-type>org.springframework.security.web.firewall.RequestRejectedException</exception-type>
  <location>/request-rejected</location>
</error-page>

对于指定的路径(位置),在@Controller注解的类中添加一个Map:

@RequestMapping(value = "/request-rejected")
@ResponseStatus(HttpStatus.BAD_REQUEST)
public @ResponseBody String handleRequestRejected(
        @RequestAttribute(RequestDispatcher.ERROR_EXCEPTION) RequestRejectedException ex,
        @RequestAttribute(RequestDispatcher.ERROR_REQUEST_URI) String uri) {

    String msg = ex.getMessage();

    // optionally log the message and requested URI (slf4j)
    logger.warn("Request with URI [{}] rejected. {}", uri, msg);

    return msg;
}
v09wglhw

v09wglhw9#

我们的问题是使用spring-security-core(4.2.13.RELEASE)的spring-webmvc(4.3.25.RELEASE)GUI,该问题是由于url字符串包含";jsessionid=D3A0470674704B75756AA10F50AA2CFC",其中一个参数为分号。
错误org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"用于只发生在网页加载第一次导致各种CSS格式的问题,图像没有加载,颜色和字体设置不正确。然而,刷新同一页面或点击任何导航链接后,下一页用于加载罚款与所有CSS实现正确。此外,这个错误RequestRejectedException严重污染了日志。
我们希望处理这个问题,以便在创建新会话时,生成的cookie使用jsessionid处理会话,而不是像第二次那样处理查询字符串。
我的解决方案是通过在https://stackoverflow.com/a/52635656/2915705中实现上面描述的过滤器而得到的,但不是将其发送到会话的错误页面检查并将其重定向到https://stackoverflow.com/a/4019476/2915705中描述的编码URL。在此解决方案之后,我们从未收到RequestRejectedException或CSS问题,即使是新会话或第一次加载页面。
更新后的LogAndSuppressRequestRejectedExceptionFilter如下所示

@Component("logAndSuppressRequestRejectedExceptionFilter")
@Order(Ordered.HIGHEST_PRECEDENCE)
public class LogAndSuppressRequestRejectedExceptionFilter extends GenericFilterBean {
    private static final Logger logger = LoggerFactory.getLogger(LogAndSuppressRequestRejectedExceptionFilter.class);

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {
        try {
            HttpServletRequest httpRequest = (HttpServletRequest) req;
            HttpServletResponse httpResponse = (HttpServletResponse) res;
            HttpSession session = httpRequest.getSession();

            if (session.isNew()) {
                // New session? OK, redirect to encoded URL with jsessionid in it (and
                // implicitly also set cookie).
                logger.debug("New session - redirect to encoded url");
                httpResponse.sendRedirect(httpResponse.encodeRedirectURL(httpRequest.getRequestURI()));
                return;
            } else if (session.getAttribute("verified") == null) {
                // Session has not been verified yet? OK, mark it verified so that we don't need
                // to repeat this.
                logger.debug("Setting session to verified");
                session.setAttribute("verified", true);
                if (httpRequest.isRequestedSessionIdFromCookie()) {
                    // Supports cookies? OK, redirect to unencoded URL to get rid of jsessionid in
                    // URL.
                    logger.debug("redirect to unencoded URL to get rid of jsessionid in url");
                    httpResponse.sendRedirect(httpRequest.getRequestURI().split(";")[0]);
                    return;
                }
            }

            chain.doFilter(req, res);

        } catch (RequestRejectedException ex) {
            HttpServletRequest request = (HttpServletRequest) req;
            logger.warn("request_rejected: remote={}, user_agent={}, request_url={}", request.getRemoteHost(),
                    request.getHeader(HttpHeaders.USER_AGENT), request.getRequestURL(), ex.getMessage());
            return;
        }
    }
}

相关问题