springboot系统安全（三级等保）处理_springboot等保三改造-优快云博客

本文链接：https://blog.youkuaiyun.com/weixin_45684051/article/details/139674345

1. 弱密码问题：
增加弱密码登录强制修改弹窗，设置密码时正则校验弱密码

2. 越权问题：
类似接口xxx?id=1改为xxx?id=2访问这种，一个是查询时sql条件增加uid，还有一种是使用多个参数防止破解，比如 xxx?id=1&code=666&date=2020-01-01 01:02:03

3. xss攻击过滤：
pom文件加入依赖,默认情况下不用配置即可用

<!--xss 过滤-->
<dependency>
    <groupId>net.dreamlu</groupId>
    <artifactId>mica-xss</artifactId>
    <version>2.7.1.1</version>
</dependency>

使用文档：https://www.dreamlu.net/components/mica-xss.html

4. sql注入：
使用mybatis框架时，使用#不要用$

5. 暴力破解：
登录接口增加密码错误失败锁定

@AccountLock(account = "#userName")
@Override
public JsonResult login(String userName, String password, Integer sourceType, String channel, HttpServletRequest request) {

}

@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface AccountLock {

    String account();
}

@Slf4j
@Aspect
@Component
public class AccountLockAop {
    private static final ExpressionParser EXPRESSION_PARSER = new SpelExpressionParser();
    @Autowired
    private RedisService redisService;

    @Around("@annotation(accountLock)")
    public Object around(ProceedingJoinPoint joinPoint, AccountLock accountLock) throws Throwable {
        String userName = "";

        MethodSignature signature = (MethodSignature) joinPoint.getSignature();
        String[] parameterNames = signature.getParameterNames();
        Object[] args = joinPoint.getArgs();

        Expression expression = EXPRESSION_PARSER.parseExpression(accountLock.account());

        StandardEvaluationContext ctx = new StandardEvaluationContext();
        // 填充表达式上下文环境
        for(int i=0;i<parameterNames.length;i++){
            ctx.setVariable(parameterNames[i],args[i]);
        }
        userName = expression.getValue(ctx, String.class);

        JsonResult result = new JsonResult();

        long expire = redisService.getExpire(RedisKeyPrefix.loginFilter.LOGIN_LOCK_FLAG + userName);
        if(expire > 0){
            result.failure("账号被锁定，剩余时间"+expire+"秒！");
            return result;
        }
        try {
            result = (JsonResult) joinPoint.proceed();
            if(result != null && !result.getStatus()
                    && Integer.valueOf(JsonResultCode.User.wc_000015.val()).equals(result.getCode())){
                //判断账号锁定
                lockAccount(userName);

            }else if(result != null && result.getStatus()){
                redisService.delete(RedisKeyPrefix.loginFilter.LOGIN_FAIL_NUM + userName);
            }
        }catch (Exception e){
            log.error("方法返回类型必须为：JsonResult！",e);
        }
        return result;
    }


    /**
    * 判断账号锁定
    */
    private void lockAccount(String userName){
        int exp1 = 24*60*60;
        int exp2 = 60;
        int num  = (int)redisService.incr(RedisKeyPrefix.loginFilter.LOGIN_FAIL_NUM + userName, 1);
        redisService.expire(RedisKeyPrefix.loginFilter.LOGIN_FAIL_NUM + userName, exp1);
        if(num > 4){
            //获取配置的锁定账号时间
            String value = (String) redisService.hget(RedisKeyPrefix.CONFIG, "mgr_account_lock");
            if (StringUtils.isNotBlank(value)){
                String[] split = value.split(",");
                int a = num-4;
                if(split.length > a){
                    exp2 = Integer.valueOf(split[a]);
                }else{
                    exp2 = Integer.valueOf(split[split.length - 1]);
                }
            }
            redisService.set(RedisKeyPrefix.loginFilter.LOGIN_LOCK_FLAG + userName, System.currentTimeMillis()+"", exp2);
        }
    }
}