我对Spring Boot有意见。我试图阻止一个特定的端点 /users/name/
但是当我在httpsecurity上配置它时,我仍然可以调用端点。我需要阻止这个特定的端点下面是我的代码。
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class AuthConfigClass extends
WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/**").authorizeRequests().antMatchers("/users/name/").permitAll()
.anyRequest().authenticated().and().httpBasic();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
{
auth.inMemoryAuthentication().withUser("admin")
.password("{noop}password").roles("USER");
}
}
这是控制器。请注意,这个应用程序的目的是使它容易受到攻击,如owasp顶级api,所以不要担心安全问题,请强硬我接受建议。
@Api(value="Users Endpoint and maintenance only for prvileged users")
@RequestMapping("/users")
public class RestControllerMain {
private final UserRespository userRespository;
@Autowired
public RestControllerMain(UserRespository userRespository) {
this.userRespository = userRespository;
}
//Excessive Data Exposure OWASP TOP 10
@RequestMapping(value="/", method=RequestMethod.GET)
public Iterable<User> getAllUsers() {
return userRespository.findAll();
}
@RequestMapping(value="/", method=RequestMethod.POST)
public void UserInsert(@RequestBody User user) {
userRespository.save(user);
}
//null pointer exception and SQL injection OWASP TOP 10 API.
@RequestMapping(value="/name/{user}", method=RequestMethod.GET)
public String mainUser(@PathVariable ("user")String username) {
if(!username.matches("/[\\t\\r\\n]|(--[^\\r\\n]*)|(\\/\\*[\\w\\W]*?(?=\\*)\\*\\/)/gi\n" )) {
return "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘‘VALUE’’.";
}
return "SQL Injection not found";
}
//XSS Also in the OWASP TOP API.
@RequestMapping(value="/search", method=RequestMethod.GET)
public String getMeUSer(@RequestBody User user) {
return "Nice to meet you" + user.getName();
}
// OWASP TOP 10 API. Broken Object Level
@RequestMapping(value="/{id}")
public Optional<User> getUserById(@PathVariable Long id) {
return userRespository.findById(id);
}
}
请帮我弄清楚,我是按照一个教程来的。
1条答案
按热度按时间ftf50wuq1#
据我所知,您需要对“users/name/{user}”端点进行身份验证,但您的配置状态是
但它应该是
其中“**”表示任何匹配模式。但是如果您想在检查特权之后授予访问权,如您在控制器的描述中所述,您应该配置spring的授权并添加
在服务或控制器方法之前,它将阻止任何没有这些角色的用户。