我在我的 Tomcat 日志中看到 大量 RequestRejectedException 条目(示例粘贴在下面)。在几个月前的次要版本升级(Spring Security 4.2.4,IIRC)之后,这些开始出现在我的日志文件中,因此这显然是 Spring 中默认启用的新安全功能。一个类似的问题是 reported here ,但我的问题具体涉及如何在 Controller 中拦截这些异常。有一个针对此问题的 Spring Security 错误记录 (Provide a way to handle RequestRejectedException)。但是,他们直到 Spring 5.1 才针对此问题进行修复。
我了解 why these exceptions are being thrown ,我不想disable this security feature .
我想对该功能进行一些控制,以便:
- 我知道我没有阻止合法用户访问我的网站。
- 我可以看到触发此事件的请求(它们是 SQL 注入(inject)攻击吗?)
- 我可以调整服务器响应。 Spring Security 防火墙将完整的堆栈跟踪转储到 Web 客户端(信息泄露),以及
500 Internal Server Error(这是非常不正确的,这应该是400 Bad Request)。
我想找到一种方法来记录所请求的 URL,同时也抑制专门针对这些异常的堆栈跟踪,因为它们正在污染我的日志文件而没有给我任何有用的信息。最理想的情况是,我想拦截这些异常并在我的应用程序层中处理它们,而不是在 Tomcat 日志中报告它们。
例如,这是我的 catalina.out 中每天出现的数千条日志条目之一:
Aug 10, 2018 2:01:36 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [dispatcher] in context with path [] threw exception
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"
at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:265)
at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:245)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:193)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:486)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
我在两天内看到了 3,200 多个这样的内容,并且它很快成为我的 catalina.out 日志文件的最大贡献者,以至于它让我看不到其他合法问题。从本质上讲,这个新的 Spring Security 特性是一种内置的拒绝服务形式,自 4 月以来它已经浪费了我几个小时的时间。我并不是说它不是一个重要的特性,只是默认实现完全是拙劣的,我想找到一种方法来控制它,无论是作为开发人员还是作为系统管理员。
我使用自定义错误 Controller 来拦截 Spring 中的许多其他异常类型(包括 IOException)。但是,RequestRejectedException 似乎由于某种原因而失败了。
这是我的 ErrorController.java 的相关部分,以了解我要完成的工作:
@ControllerAdvice
public final class ErrorController
{
/**
* Logger.
*/
private static final Logger LOGGER = Logger.getLogger(ErrorController.class.getName());
/**
* Generates an Error page by intercepting exceptions generated from HttpFirewall.
*
* @param ex A RequestRejectedException exception.
* @return The tile definition name for the page.
*/
@ExceptionHandler(RequestRejectedException.class)
@ResponseStatus(HttpStatus.BAD_REQUEST)
public String handleRequestRejectedException(final HttpServletRequest request, final RequestRejectedException ex)
{
if (LOGGER.isLoggable(Level.INFO))
{
LOGGER.log(Level.INFO, "Request Rejected", ex);
}
LOGGER.log(Level.WARNING, "Rejected request for [" + request.getRequestURL().toString() + "]. Reason: " + ex.getMessage());
return "errorPage";
}
/**
* Generates a Server Error page.
*
* @param ex An exception.
* @return The tile definition name for the page.
*/
@ExceptionHandler(Exception.class)
@ResponseStatus(HttpStatus.INTERNAL_SERVER_ERROR)
public String handleException(final Exception ex)
{
if (LOGGER.isLoggable(Level.SEVERE))
{
LOGGER.log(Level.SEVERE, "Server Error", ex);
}
return "errorPage";
}
}
此错误 Controller 适用于许多异常。比如它成功拦截了这个IllegalStateException:
Aug 05, 2018 7:50:30 AM com.mycompany.spring.controller.ErrorController handleException
SEVERE: Server Error
java.lang.IllegalStateException: Cannot create a session after the response has been committed
at org.apache.catalina.connector.Request.doGetSession(Request.java:2999)
...
但是,这并没有拦截 RequestRejectedException(如上面第一个日志示例中缺少“服务器错误”所示)。
如何在错误 Controller 中拦截 RequestRejectedException?
最佳答案
也可以通过简单的过滤器来处理,会导致404错误响应
@Component
@Slf4j
@Order(Ordered.HIGHEST_PRECEDENCE)
public class LogAndSuppressRequestRejectedExceptionFilter extends GenericFilterBean {
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
try {
chain.doFilter(req, res);
} catch (RequestRejectedException e) {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
log
.warn(
"request_rejected: remote={}, user_agent={}, request_url={}",
request.getRemoteHost(),
request.getHeader(HttpHeaders.USER_AGENT),
request.getRequestURL(),
e
);
response.sendError(HttpServletResponse.SC_NOT_FOUND);
}
}
}
关于java - 如何在 Spring 中拦截 RequestRejectedException?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/51788764/