今天接到安全团队的说swagger有未授权访问漏洞,即使在swagger关闭的情况下http://127.0.0.1:8086/agcloud/v2/api-docs?group=用户关联信息模块仍然还能访问。
看了下原来是有写一个拦截器
registry.addInterceptor(loginInterceptor).addPathPatterns("/v2/api-docs"); registry.addInterceptor(loginInterceptor).addPathPatterns("/swagger-ui.html");断点之后发现是有生效的,/swagger-ui.html不能再访问,但是/v2/api-docs路径还是可以访问,确定拦截器有生效,不是拦截器的问题。
查看基于springMVC请求入口找到DispatcherServlet类,找到doDispatch方法
protected void doDispatch(HttpServletRequest request, HttpServletResponse response) throws Exception { ...... try { // HandlerMapping根据请求路径选择对应的handler(controller下的某个方法)来处理当前请求 // 补充下HandlerMapping: // 1. 根据当前请求的找到对应的 Handler, // 2. 将 Handler(执行程序)与一堆 HandlerInterceptor(拦截器)封装到 HandlerExecutionChain 对象中 // 3. DispatcherServlet会从容器中取出所有HandlerMapping实例并遍历,让HandlerMapping实例根据自己实现类的方式去尝试查找Handler mappedHandler = getHandler(processedRequest); ...... // 根据handler来找到支持它的HandlerAdapter,通过HandlerAdapter执行这个最后的代码处理逻辑得到具体的返回结果 HandlerAdapter ha = getHandlerAdapter(mappedHandler.getHandler()); ...... // 拦截器preHandle处理,按顺序执行 if (!mappedHandler.applyPreHandle(processedRequest, response)) { return; } // handlerAdapter实际的执行逻辑 mv = ha.handle(processedRequest, response, mappedHandler.getHandler()); ...... // 拦截器postHandle处理 mappedHandler.applyPostHandle(processedRequest, response, mv); } catch (Throwable err) { ...... } finally { ...... }}在doDispatch方法中,拦截器的preHandle执行逻辑在mappedHandler.applyPreHandle中,接下来我看下这个方法:
boolean applyPreHandle(HttpServletRequest request, HttpServletResponse response) throws Exception { // 遍历handler绑定的所有interceptors,按顺序执行preHanlde方法for (int i = 0; i < this.interceptorList.size(); i++) {HandlerInterceptor interceptor = this.interceptorList.get(i); // 如果preHandle返回false,则触发afterCompletion方法的执行if (!interceptor.preHandle(request, response, this.handler)) {triggerAfterCompletion(request, response, null);return false;}this.interceptorIndex = i;}return true;}debug跟踪到这个方法,发现applyPreHandle方法中this.interceptorList的长度为0,即处理该请求的handler没有绑定任何interceptor。这个时候很容易想到问题可能出现在handlerMapping上,因为handlerMapping负责将handler与一堆 handlerInterceptor(拦截器)封装到 HandlerExecutionChain 对象中
doDispatch中的getHandler方法断点
解决方案:
package com.augurit.swj.config.filter;import org.springframework.beans.factory.annotation.Value;import org.springframework.core.MethodParameter;import org.springframework.http.HttpStatus;import org.springframework.http.MediaType;import org.springframework.http.server.ServerHttpRequest;import org.springframework.http.server.ServerHttpResponse;import org.springframework.web.bind.annotation.RestControllerAdvice;import org.springframework.web.servlet.mvc.method.annotation.ResponseBodyAdvice;import java.util.Arrays;import java.util.List;@RestControllerAdvicepublic class SwaggerAdvice implements ResponseBodyAdvice { @Value("${agcloud.framework.swagger.enable}") private boolean swaggerEnable; private static final List EXCLUDE_URL = Arrays.asList("/v2/api-docs"); @Override public Object beforeBodyWrite(Object o, MethodParameter methodParameter, MediaType mediaType, Class aClass, ServerHttpRequest serverHttpRequest, ServerHttpResponse serverHttpResponse) { String url = serverHttpRequest.getURI().getHost() + serverHttpRequest.getURI().getPath(); //增加判断,只有配置文件打开了swagger才能访问 if(swaggerEnable == true){ return o; } if (EXCLUDE_URL.stream().anyMatch(item -> url.contains(item))) { serverHttpResponse.setStatusCode(HttpStatus.FORBIDDEN); return "没有权限"; } return o; } @Override public boolean supports(MethodParameter methodParameter, Class aClass) { return true; }}
来源地址:https://blog.csdn.net/zy_crazy_code/article/details/129360823
