Skip to content

Commit 0a50d3a

Browse files
mercyblitzmercyblitz
committed
Add lesson 15
1 parent 59dfcb7 commit 0a50d3a

File tree

16 files changed

+342
-0
lines changed

16 files changed

+342
-0
lines changed

spring-boot/lesson-15/[海报] Spring Boot 系列之安全.png

560 KB
Loading

spring-boot/lesson-15/[课件] Spring Boot 系列之安全.pptx

285 KB
Binary file not shown.

spring-boot/lesson-15/spring-boot-lesson-15/.gitignore

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
target/
2+
!.mvn/wrapper/maven-wrapper.jar
3+
4+
### STS ###
5+
.apt_generated
6+
.classpath
7+
.factorypath
8+
.project
9+
.settings
10+
.springBeans
11+
12+
### IntelliJ IDEA ###
13+
.idea
14+
*.iws
15+
*.iml
16+
*.ipr
17+
18+
### NetBeans ###
19+
nbproject/private/
20+
build/
21+
nbbuild/
22+
dist/
23+
nbdist/
24+
.nb-gradle/

spring-boot/lesson-15/spring-boot-lesson-15/pom.xml

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
3+
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
4+
<modelVersion>4.0.0</modelVersion>
5+
6+
<groupId>com.segmentfault</groupId>
7+
<artifactId>spring-boot-lesson-15</artifactId>
8+
<version>0.0.1-SNAPSHOT</version>
9+
<packaging>jar</packaging>
10+
11+
<name>spring-boot-lesson-15</name>
12+
<description>Demo project for Spring Boot</description>
13+
14+
<parent>
15+
<groupId>org.springframework.boot</groupId>
16+
<artifactId>spring-boot-starter-parent</artifactId>
17+
<version>1.5.6.RELEASE</version>
18+
<relativePath/> <!-- lookup parent from repository -->
19+
</parent>
20+
21+
<properties>
22+
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
23+
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
24+
<java.version>1.8</java.version>
25+
</properties>
26+
27+
<dependencies>
28+
<dependency>
29+
<groupId>org.springframework.boot</groupId>
30+
<artifactId>spring-boot-starter-actuator</artifactId>
31+
</dependency>
32+
<dependency>
33+
<groupId>org.springframework.boot</groupId>
34+
<artifactId>spring-boot-starter-security</artifactId>
35+
</dependency>
36+
<dependency>
37+
<groupId>org.springframework.boot</groupId>
38+
<artifactId>spring-boot-starter-thymeleaf</artifactId>
39+
</dependency>
40+
<dependency>
41+
<groupId>org.springframework.boot</groupId>
42+
<artifactId>spring-boot-starter-web</artifactId>
43+
</dependency>
44+
45+
<dependency>
46+
<groupId>org.springframework.boot</groupId>
47+
<artifactId>spring-boot-starter-test</artifactId>
48+
<scope>test</scope>
49+
</dependency>
50+
<dependency>
51+
<groupId>org.springframework.security</groupId>
52+
<artifactId>spring-security-test</artifactId>
53+
<scope>test</scope>
54+
</dependency>
55+
</dependencies>
56+
57+
<build>
58+
<plugins>
59+
<plugin>
60+
<groupId>org.springframework.boot</groupId>
61+
<artifactId>spring-boot-maven-plugin</artifactId>
62+
</plugin>
63+
</plugins>
64+
</build>
65+
66+
67+
</project>

spring-boot/lesson-15/spring-boot-lesson-15/src/main/java/com/segmentfault/springbootlesson15/SpringBootLesson15Application.java

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
package com.segmentfault.springbootlesson15;
2+
3+
import org.springframework.boot.SpringApplication;
4+
import org.springframework.boot.autoconfigure.SpringBootApplication;
5+
6+
@SpringBootApplication
7+
public class SpringBootLesson15Application {
8+
9+
public static void main(String[] args) {
10+
SpringApplication.run(SpringBootLesson15Application.class, args);
11+
}
12+
13+
14+
}

spring-boot/lesson-15/spring-boot-lesson-15/src/main/java/com/segmentfault/springbootlesson15/controller/SecurityController.java

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
package com.segmentfault.springbootlesson15.controller;
2+
3+
import org.springframework.stereotype.Controller;
4+
import org.springframework.ui.Model;
5+
import org.springframework.web.bind.annotation.GetMapping;
6+
7+
/**
8+
* 安全 Controller
9+
*
10+
* @author <a href="mailto:mercyblitz@gmail.com">Mercy</a>
11+
* @see
12+
* @since 2017.08.23
13+
*/
14+
@Controller
15+
public class SecurityController {
16+
17+
@GetMapping("")
18+
public String index() {
19+
20+
21+
return "index";
22+
}
23+
24+
@GetMapping("/login")
25+
public String login() {
26+
return "login";
27+
}
28+
29+
@GetMapping("/xss")
30+
public String xss(Model model) {
31+
32+
// JS Code 需要被 Escape
33+
model.addAttribute("jsCode", "<script>alert('XSS attack')</script>");
34+
// HTML Code 不需要被 Escape(Unescape)
35+
model.addAttribute("htmlCode", "<span>Hello,World</span>");
36+
37+
return "xss";
38+
}
39+
40+
41+
}

spring-boot/lesson-15/spring-boot-lesson-15/src/main/java/com/segmentfault/springbootlesson15/security/WebConfiguration.java

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
package com.segmentfault.springbootlesson15.security;
2+
3+
import org.springframework.context.annotation.Configuration;
4+
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
5+
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
6+
7+
/**
8+
* TODO
9+
*
10+
* @author <a href="mailto:mercyblitz@gmail.com">Mercy</a>
11+
* @see
12+
* @since 2017.08.23
13+
*/
14+
@Configuration
15+
public class WebConfiguration extends WebMvcConfigurerAdapter {
16+
17+
@Override
18+
public void addViewControllers(ViewControllerRegistry registry) {
19+
20+
21+
registry.addViewController("/iframe-parent").setViewName("iframe-parent");
22+
registry.addViewController("/iframe-child.html").setViewName("iframe-child");
23+
24+
}
25+
26+
}

spring-boot/lesson-15/spring-boot-lesson-15/src/main/java/com/segmentfault/springbootlesson15/security/WebSecurityConfiguration.java

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
package com.segmentfault.springbootlesson15.security;
2+
3+
import org.springframework.context.annotation.Configuration;
4+
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
5+
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
6+
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
7+
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
8+
import org.springframework.security.web.header.writers.frameoptions.AllowFromStrategy;
9+
import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter;
10+
11+
import javax.servlet.http.HttpServletRequest;
12+
13+
/**
14+
* TODO
15+
*
16+
* @author <a href="mailto:mercyblitz@gmail.com">Mercy</a>
17+
* @see
18+
* @since 2017.08.23
19+
*/
20+
@Configuration
21+
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
22+
23+
@Override
24+
protected void configure(HttpSecurity http) throws Exception {
25+
26+
//CSRF
27+
http.csrf().csrfTokenRepository(new CookieCsrfTokenRepository()).requireCsrfProtectionMatcher(
28+
httpServletRequest -> httpServletRequest.getMethod().equals("POST")
29+
);
30+
31+
// CSP header
32+
http.headers().contentSecurityPolicy("script-src https://code.jquery.com/");
33+
34+
// X-Frame-Options header
35+
// 相同域名是允许的
36+
// http.headers().frameOptions().sameOrigin();
37+
38+
// 实现白名单方式
39+
http.headers().addHeaderWriter(new XFrameOptionsHeaderWriter(new AllowFromStrategy() {
40+
@Override
41+
public String getAllowFromValue(HttpServletRequest request) {
42+
return "xiaomage.com";
43+
}
44+
}));
45+
46+
// XSS header
47+
http.headers().xssProtection().block(false);
48+
49+
50+
// 授权
51+
http.authorizeRequests().anyRequest().fullyAuthenticated()
52+
.and().
53+
formLogin().usernameParameter("name") // 用户名参数
54+
.passwordParameter("pwd") // 密码参数
55+
.loginProcessingUrl("/loginAction") // 登录 Action 的 URI
56+
.loginPage("/login") // 登录页面 URI
57+
.failureForwardUrl("/error") // 登录失败后的页面URI
58+
.permitAll()
59+
.and().logout().permitAll();
60+
61+
}
62+
63+
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
64+
65+
auth.inMemoryAuthentication().withUser("xiaomage").password("123456").roles("ADMIN")
66+
.and().withUser("刘德华").password("123456").roles("USER");
67+
68+
}
69+
}

spring-boot/lesson-15/spring-boot-lesson-15/src/main/resources/application.properties

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
2+
3+
security.basic.enabled = false
4+
5+
management.security.enabled = false
6+
7+
spring.thymeleaf.cache = false
8+

spring-boot/lesson-15/spring-boot-lesson-15/src/main/resources/static/css/bootstrap.min.css

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)