李宇
2021-01-14 0653e8d3190a12e3beb06812600a6a82482737c5
修改shiro1.6引起的登录问题
已添加1个文件
186 ■■■■■ 文件已修改
src/main/java/org/apache/shiro/web/filter/InvalidRequestFilter.java 186 ●●●●● 补丁 | 查看 | 原始文档 | blame | 历史
src/main/java/org/apache/shiro/web/filter/InvalidRequestFilter.java
对比新文件
@@ -0,0 +1,186 @@
/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
package org.apache.shiro.web.filter;
import org.apache.shiro.web.util.WebUtils;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
/**
 * A request filter that blocks malicious requests. Invalid request will respond with a 400 response code.
 *
 * This filter checks and blocks the request if the following characters are found in the request URI:
 *
 *
 Semicolon - can be disabled by setting {@code blockSemicolon = false}
 *
 Backslash - can be disabled by setting {@code blockBackslash = false}
 *
 Non-ASCII characters - can be disabled by setting {@code blockNonAscii = false}, the ability to disable this check will be removed in future version.
 *
 *
 * @see  class was inspired by Spring Security StrictHttpFirewall
 * @since 1.6
 */
public class InvalidRequestFilter extends AccessControlFilter {
    private static final List<String>  SEMICOLON = Collections.unmodifiableList(Arrays.asList(";", "%3b", "%3B"));
    private static final List<String>  BACKSLASH = Collections.unmodifiableList(Arrays.asList("\\", "%5c", "%5C"));
    private boolean blockSemicolon = true;
    private boolean blockBackslash = true;
    private boolean blockNonAscii = true;
    @Override
    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
        String uri = WebUtils.toHttp(request).getRequestURI();
        return !containsSemicolon(request,uri)
                && !containsBackslash(uri)
                && !containsNonAsciiCharacters(uri);
    }
    @Override
    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
        String uri = WebUtils.toHttp(request).getRequestURI();
        WebUtils.toHttp(response).sendError(400, "Invalid request");
        return false;
    }
    private String ctx=null;
    private boolean containsSemicolon(ServletRequest request,String uri) {
        if (isBlockSemicolon()) {
            if(ctx == null) {
                ctx = WebUtils.toHttp(request).getContextPath();
            }
            // 登录url拼接的jsessionId进行放行
            if(uri.startsWith(ctx + this.getLoginUrl() + ";jsessionid=") ||
                    uri.startsWith(ctx + this.getLoginUrl() + "%3bjsessionid=") ||
                    uri.startsWith(ctx + this.getLoginUrl() + "%3Bjsessionid=") ||
                    uri.startsWith(ctx + "/javax.faces.resource/mybootstrap.css.xhtml;jsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/mybootstrap.css.xhtml%3bjsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/mybootstrap.css.xhtml%3Bjsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/default.css.xhtml;jsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/default.css.xhtml%3bjsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/default.css.xhtml%3Bjsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/components.css.xhtml;jsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/components.css.xhtml%3bjsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/components.css.xhtml%3Bjsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/jquery/jquery-plugins.js.xhtml;jsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/jquery/jquery-plugins.js.xhtml%3bjsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/jquery/jquery-plugins.js.xhtml%3Bjsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/jquery/jquery.js.xhtml;jsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/jquery/jquery.js.xhtml%3bjsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/jquery/jquery.js.xhtml%3Bjsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/core.js.xhtml;jsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/core.js.xhtml%3bjsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/core.js.xhtml%3Bjsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/extra.js.xhtml;jsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/extra.js.xhtml%3bjsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/extra.js.xhtml%3Bjsessionid=")||
                    uri.startsWith(ctx + "/resources/images/logo1.png;jsessionid=")||
                    uri.startsWith(ctx + "/resources/images/logo1.png%3bjsessionid=")||
                    uri.startsWith(ctx + "/resources/images/logo1.png%3Bjsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/components.js.xhtml;jsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/components.js.xhtml%3bjsessionid=")||
                    uri.startsWith(ctx + "/javax.faces.resource/components.js.xhtml%3Bjsessionid=")||
                    uri.startsWith(ctx + "/resources/images/logo.png;jsessionid=")||
                    uri.startsWith(ctx + "/resources/images/logo.png%3bjsessionid=")||
                    uri.startsWith(ctx + "/resources/images/logo.png%3Bjsessionid=")) {
                return false;
            }
            return SEMICOLON.stream().anyMatch(uri::contains);
        }
        return false;
    }
    private boolean containsBackslash(String uri) {
        if (isBlockBackslash()) {
            return BACKSLASH.stream().anyMatch(uri::contains);
        }
        return false;
    }
    private boolean containsNonAsciiCharacters(String uri) {
        if (isBlockNonAscii()) {
            return !containsOnlyPrintableAsciiCharacters(uri);
        }
        return false;
    }
    private static boolean containsOnlyPrintableAsciiCharacters(String uri) {
        int length = uri.length();
        for (int i = 0; i < length; i++) {
            char c = uri.charAt(i);
            if (c < '\u0020' || c > '\u007e') {
                return false;
            }
        }
        return true;
    }
    public boolean isBlockSemicolon() {
        return blockSemicolon;
    }
    public void setBlockSemicolon(boolean blockSemicolon) {
        this.blockSemicolon = blockSemicolon;
    }
    public boolean isBlockBackslash() {
        return blockBackslash;
    }
    public void setBlockBackslash(boolean blockBackslash) {
        this.blockBackslash = blockBackslash;
    }
    public boolean isBlockNonAscii() {
        return blockNonAscii;
    }
    public void setBlockNonAscii(boolean blockNonAscii) {
        this.blockNonAscii = blockNonAscii;
    }
}