druid 1.0.16 在 Spring Security 4.0.3 开启 X-Content-Type-Options:nosniff 时, 监控页面直接显示成html代码,并且 /druid/basic.json 会被 CSRF 防御禁止掉

3zwtqj6y  于 2021-11-27  发布在  Java
关注(0)|答案(4)|浏览(379)

Spring Boot 1.3.0 中,使用 Java Config 配置 Druid

MySqlRepositoryConfig.java

@Profile("mysql")
@Configuration
@EnableConfigurationProperties
public class MySqlRepositoryConfig implements RepositoryConfig {

    @Bean(initMethod = "init", destroyMethod = "close")
    @ConfigurationProperties(prefix="datasource.druid")
    @Override
    public DataSource dataSource() {
        return new DruidDataSource();
    }

    @Value("${datasource.druid.allow}")
    private String druidAllowUrl;

    @Value("${datasource.druid.deny}")
    private String druidDenyUrl;

    @Bean
    public ServletRegistrationBean statViewServlet() {
        ServletRegistrationBean reg = new ServletRegistrationBean();
        reg.setServlet(new StatViewServlet());
        reg.addUrlMappings("/druid/*");
        reg.addInitParameter("allow", druidAllowUrl);
        reg.addInitParameter("deny", druidDenyUrl);

        return reg;
    }

    @Bean
    @Override
    public PlatformTransactionManager transactionManager() {
        return new DataSourceTransactionManager(dataSource());
    }
}

application.properties


################### 

# Druid 连接池   #

################### 

# 基本属性 url、user、password

datasource.druid.url=jdbc:mysql://localhost:3306/test
datasource.druid.username=root
datasource.druid.password=root

# 配置初始化大小、最小、最大

datasource.druid.initialSize=1
datasource.druid.minIdle=1
datasource.druid.maxActive=20

# 配置获取连接等待超时的时间,单位是毫秒

datasource.druid.maxWait=5000

# 配置间隔多久才进行一次检测,检测需要关闭的空闲连接,单位是毫秒

datasource.druid.timeBetweenEvictionRunsMillis=60000

# 配置一个连接在池中最小生存的时间,单位是毫秒

datasource.druid.minEvictableIdleTimeMillis=300000
datasource.druid.validationQuery=SELECT 'x'
datasource.druid.testWhileIdle=true
datasource.druid.testOnBorrow=false
datasource.druid.testOnReturn=false

# 如果用Oracle,则把poolPreparedStatements配置为true,mysql可以配置为false。分库分表较多的数据库,建议配置为false。

datasource.druid.poolPreparedStatements=false
datasource.druid.maxPoolPreparedStatementPerConnectionSize=20

# 配置监控统计拦截的filters

datasource.druid.filters=wall,stat
datasource.druid.allow=192.168.1.1/24
datasource.druid.deny=192.168.200.1/24

目前的解决方式

SecurityConfiguration.java

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                    .anyRequest().authenticated()
                    .and()
                .httpBasic()
                    .and()
                .csrf()
                    // /druid/basic.json 请求不做 CSRF 控制
                    .ignoringAntMatchers("/druid/**") 
                    .and()
                .headers()
                    // 关闭 X-Content-Type-Options:nosniff ,使 Druid 页面可以正常显示
                    .contentTypeOptions().disable() 
                    .and();
    }

}
1tuwyuhd

1tuwyuhd1#

StatViewServlet 没有给 html 文件设置 Content-Type,不改代码的话,只能加一个 Filter 去给 /druid/**.html 补上 Content-Type 了

13z8s7eq

13z8s7eq2#

我也是正遇到这种问题

j2cgzkjk

j2cgzkjk3#

  • No description provided.*
vnjpjtjt

vnjpjtjt4#

http pattern="/druid/**" security="none"

相关问题