来吧,贴代码。
一、背景
我们有一个项目使用了spring cloud,有的微服务需要调用别的微服务,但这些调用没有鉴权;当初项目时间非常紧,同时这部分微服务有的对外也没有鉴权,在代码中设置了无须鉴权,可直接访问。近期客户进行安全性测评,查出了一堆安全性漏洞。你睇下:
@Override
public void configure(HttpSecurity http) throws Exception {http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED).and().authorizeRequests()//添加放行接口,不进行OAuth2授权认证.antMatchers("/camera/**","/jcDeviceManufacturer/file/preview/**","/jcStationFile/**","/jcTimedTask/**","/jcDevice/**","/jcStation/**","/user/query/warning/**","/jcSenorDataCurrent/**","/jcSensorData003/**","/jcSensorData007/**","/jcSensorData008/**","/jcSensorData009/**","/jcSensorData012/**","/jcSensorData014/**","/jcSensorData015/**","/jcSensorData024/**","/jcSensorData025/**","/jcSensorData027/**","/jcSensorData034/**","/jcSensorGnssResolvedata/**","/jcSensorDataDxs/**","/jcSensorDataGnss/**","/jcStationMap/**","/jcWarnConfigDevice/**","/jcStationDeviceMap/**").permitAll()// 指定监控访问权限.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll().anyRequest().authenticated().and()//认证鉴权错误处理.exceptionHandling().accessDeniedHandler(new OpenAccessDeniedHandler()).authenticationEntryPoint(new OpenAuthenticationEntryPoint()).and().csrf().disable();
}
如之奈何,计将安出?
二、思路
项目早就验收了,维护期也过期了。本着为客户着想,并幻想他们能再续期,丢个几万元让我们维护,所以我奋不顾身地维护一下。
我的指导原则是代码不要进行大的调整,尽量简单处理,毕竟量体裁衣,看菜吃饭。而且当时项目开发的人很多,我只负责其中几个模块,好多都不是我弄的。现在人员已经走得差不多了,维护任务就落到我头上。我只好硬着猪头皮,献上思路如下:
1)微服务间调用,检查请求头有无带上特定信息,有则通过,无则抛出异常
2)外部访问,设置白名单,检查发出请求的IP,符合则通过,否则抛出异常。这样第三方系统就不用更改了
3)但这些服务中,有一些前端也会请求。由于前端有登录,那么前端的请求应该不受上面的限制措施影响。
4)搞一个标注来完成这些鉴权动作,并且应用AOP,尽量将现有代码改动减到最小。
三、具体实现
1、标注@Inner,用于标记类
import java.lang.annotation.*;/*** 微服务内部访问方法*/
@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface Inner {/*** 是否AOP统一处理*/boolean value() default true;
}
2、标注@InnerMethod,用于标记方法
import java.lang.annotation.*;/*** 微服务内部访问方法*/
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface InnerMethod {/*** 是否AOP统一处理*/boolean value() default true;
}
3、AOP
1)InnerAspect.java
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.Signature;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.core.Ordered;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;import javax.servlet.http.HttpServletRequest;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;@Aspect
@Component
public class InnerAspect implements Ordered {
/**
配置文件内容:
inner.head.name=X-From
inner.head.value=internal
inner.white-ip=127.0.0.1,192.168.10.8,192.168.10.9
*/@Value(value = "${inner.head.name:X-From}")private String from;@Value(value = "${inner.head.value:internal}")private String fromIn;@Value(value = "${inner.white-ip:127.0.0.1}")private String whiteIps;private static List<String> whiteList = null;@Around("@within(inner)") // Modified pointcut expressionpublic Object around(ProceedingJoinPoint point, Inner inner) throws Throwable {if(!isValid(point,inner.value())){throw new AccessDeniedException("Access is denied");}return point.proceed(); // Proceed with the original method call}/*** 注意 @Around("@annotation(innerMethod)")中的"innerMethod",* 名称要与aroundMethod(ProceedingJoinPoint point, InnerMethod innerMethod) 中的参数名称一致* @param point* @param innerMethod* @return* @throws Throwable*/@Around("@annotation(innerMethod)")public Object aroundMethod(ProceedingJoinPoint point, InnerMethod innerMethod) throws Throwable {if(!isValid(point,innerMethod.value())){throw new AccessDeniedException("Access is denied");}return point.proceed();}@Overridepublic int getOrder() {return Ordered.HIGHEST_PRECEDENCE + 1;}private boolean isValid(ProceedingJoinPoint point, boolean innerHasValue){boolean yes = true;Authentication authentication = SecurityContextHolder.getContext().getAuthentication();if (authentication == null || "anonymousUser".equals(authentication.getPrincipal())){//尚未登录initWhiteList();Signature signature = point.getSignature();if (innerHasValue) { // Check if AOP is enabled for the classHttpServletRequest request = ServletUtils.getRequest();String header = request.getHeader(from);String ipAddress = getOriginalIp(request);// Authorization check based on request header or IP addressif (!fromIn.equals(header) && !whiteList.contains(ipAddress)) {System.err.println(String.format("没有权限访问接口 %s", signature.getName()));yes = false;}}}return yes;}private void initWhiteList(){if(whiteList == null || whiteList.size() == 0){whiteList = new ArrayList<>(Arrays.asList(whiteIps.split(",")));}}/*** 获取最原始的请求IP* 因为请求有可能经过nginx等转发* @param request* @return*/private String getOriginalIp(HttpServletRequest request) {String originalIp = request.getHeader("X-Forwarded-For");if (originalIp == null || originalIp.isEmpty()) {originalIp = request.getRemoteAddr();} else {// 可能会有多个IP,获取第一个IP地址originalIp = originalIp.split(",")[0].trim();}return originalIp;}
}其中,主要逻辑部分:
private boolean isValid(ProceedingJoinPoint point, boolean innerHasValue){boolean yes = true;Authentication authentication = SecurityContextHolder.getContext().getAuthentication();if (authentication == null || "anonymousUser".equals(authentication.getPrincipal())){//尚未登录initWhiteList();Signature signature = point.getSignature();if (innerHasValue) { // Check if AOP is enabled for the classHttpServletRequest request = ServletUtils.getRequest();String header = request.getHeader(from);String ipAddress = getOriginalIp(request);// Authorization check based on request header or IP addressif (!fromIn.equals(header) && !whiteList.contains(ipAddress)) {System.err.println(String.format("没有权限访问接口 %s", signature.getName()));yes = false;}}}return yes;
}
首先看是否已经登录,未登录的话才进行考察。如果既无请求头,又不在白名单内,才抛出异常;否则都通过,宽松得很。
值得一提得是,@Around的写法。里面的参数要跟函数的参数保持一致:
2)自定义的HttpServletRequest.java
上面代码中用到这个自定义类。
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;import javax.servlet.http.HttpServletRequest;public class ServletUtils {public static HttpServletRequest getRequest() {return ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();}
}
四、使用
1、被调用的服务
1)类
@Api(value = "监测设备信息", tags = "监测设备信息")
@RestController
@RequestMapping("jcDevice")
@Inner
public class JcDeviceController implements IJcDeviceServiceClient {
。。。
}
2)方法
@GetMapping("/file/preview")@InnerMethodpublic void previewDemo(HttpServletRequest request, HttpServletResponse response, @RequestParam("code") String code) {
。。。}
2、主动发起调用的服务
服务之间是通过Feign来调用的,只要在主动发起调用的微服务中实现Feign的拦截器即可:
import feign.RequestInterceptor;
import feign.RequestTemplate;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;@Component
public class InnerAuthInterceptor implements RequestInterceptor {@Value(value = "${inner.head.name:X-From}")private String from;@Value(value = "${inner.head.value:internal}")private String fromIn;@Overridepublic void apply(RequestTemplate template) {template.header(from, fromIn);}
}
五、小结
上述代码中,IP白名单在本地是没有问题的。但请求的转发是vue开发环境下实现的。部署到生产服务器nginx上,就拿不到最原始的请求IP,拿到的都是nginx服务器的IP。这个问题下周有时间再看看。
但不一定有时间。公司没啥活,员工却还是那么忙,搞不懂。
参考文章:
服务之间调用还需要鉴权?
Feign的拦截器RequestInterceptor
