Spring权限管理与IDOR漏洞挖掘实战指南<\/h1>

一、Spring权限管理概述<\/h2>

在企业级应用中，权限控制是核心安全环节。Spring生态提供了丰富的权限管理手段，主要分为两类：<\/p>

垂直权限(Vertical Access Control)<\/strong>：控制"角色等级"对资源或操作的访问<\/li>

水平权限(Horizontal Access Control)<\/strong>：防止用户操作自己无权访问的同级资源<\/li> <\/ol>
二、垂直权限实现方式<\/h2>
1. HandlerInterceptor拦截器<\/h3>
在Spring MVC中，可以通过HandlerInterceptor<\/code>的preHandle()<\/code>方法在请求到达Controller前进行权限校验：<\/p>
public<\/span> class<\/span> AuthInterceptor<\/span> implements<\/span> HandlerInterceptor {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> boolean<\/span> preHandle<\/span>(<\/span>HttpServletRequest request,<\/span> <\/span><\/span> HttpServletResponse response,<\/span> <\/span><\/span> Object handler)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 权限校验逻辑 <\/span><\/span><\/span><\/span> if<\/span>(!<\/span>hasPermission(<\/span>request)){<\/span> <\/span><\/span> response.<\/span>sendError<\/span>(<\/span>403<\/span>);<\/span> <\/span><\/span> return<\/span> false<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> true<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>优点<\/strong>：逻辑集中，可统一管理缺点<\/strong>：复杂规则需要手写，维护成本高<\/p> 2. Spring Security方案<\/h3> URL级权限<\/strong>：通过配置URL与角色映射控制访问<\/p> http.<\/span>authorizeRequests<\/span>()<\/span> <\/span><\/span> .<\/span>antMatchers<\/span>(<\/span>"\/admin\/**"<\/span>).<\/span>hasRole<\/span>(<\/span>"ADMIN"<\/span>)<\/span> <\/span><\/span> .<\/span>antMatchers<\/span>(<\/span>"\/user\/**"<\/span>).<\/span>hasRole<\/span>(<\/span>"USER"<\/span>);<\/span> <\/span><\/span><\/code><\/pre>方法级注解<\/strong>：<\/p> @PreAuthorize<\/code>：方法执行前校验<\/li> @PostAuthorize<\/code>：方法执行后校验（可基于返回值判断）<\/li> <\/ul> @PreAuthorize<\/span>(<\/span>"hasRole('ADMIN') or hasPermission(#id, 'read')"<\/span>)<\/span> <\/span><\/span>public<\/span> String sensitiveMethod<\/span>(<\/span>Long id)<\/span> {<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>自定义PermissionEvaluator<\/strong>：实现复杂业务规则<\/p> public<\/span> class<\/span> CustomPermissionEvaluator<\/span> implements<\/span> PermissionEvaluator {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> boolean<\/span> hasPermission<\/span>(<\/span>Authentication auth,<\/span> Object target,<\/span> Object permission)<\/span> {<\/span> <\/span><\/span> \/\/ 自定义权限判断逻辑 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3. Apache Shiro方案<\/h3> 支持细粒度权限控制，如"document:read:123"表示对ID为123的文档有读权限<\/p> @RequiresPermissions<\/span>(<\/span>"document:read:#documentId"<\/span>)<\/span> <\/span><\/span>public<\/span> Document getDocument<\/span>(<\/span>Long documentId)<\/span> {<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>4. 自定义注解+AOP<\/h3> @Target<\/span>(<\/span>ElementType.<\/span>METHOD<\/span>)<\/span> <\/span><\/span>@Retention<\/span>(<\/span>RetentionPolicy.<\/span>RUNTIME<\/span>)<\/span> <\/span><\/span>public<\/span> @interface<\/span> ResourcePermission {<\/span> <\/span><\/span> String resourceType<\/span>();<\/span> <\/span><\/span> String permission<\/span>();<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>@Aspect<\/span> <\/span><\/span>@Component<\/span> <\/span><\/span>public<\/span> class<\/span> PermissionAspect<\/span> {<\/span> <\/span><\/span> @Around<\/span>(<\/span>"@annotation(resourcePermission)"<\/span>)<\/span> <\/span><\/span> public<\/span> Object checkPermission<\/span>(<\/span>ProceedingJoinPoint joinPoint,<\/span> <\/span><\/span> ResourcePermission resourcePermission)<\/span> {<\/span> <\/span><\/span> \/\/ 权限校验逻辑 <\/span><\/span><\/span><\/span> if<\/span>(!<\/span>hasPermission(<\/span>resourcePermission.<\/span>resourceType<\/span>(),<\/span> <\/span><\/span> resourcePermission.<\/span>permission<\/span>())){<\/span> <\/span><\/span> throw<\/span> new<\/span> AccessDeniedException(<\/span>"无权限"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> joinPoint.<\/span>proceed<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>三、水平权限实现方式<\/h2> 水平权限检查依赖资源归属，通常需要分散在业务逻辑或数据库查询层。<\/p> 1. 数据库层过滤<\/h3> \/\/ 查询时自动添加用户ID条件 <\/span><\/span><\/span><\/span>@Query<\/span>(<\/span>"SELECT o FROM Order o WHERE o.id = ?1 AND o.userId = ?2"<\/span>)<\/span> <\/span><\/span>Order findByIdAndUserId<\/span>(<\/span>Long id,<\/span> Long userId);<\/span> <\/span><\/span><\/code><\/pre>2. 方法层判断<\/h3> public<\/span> Order getOrder<\/span>(<\/span>Long orderId)<\/span> {<\/span> <\/span><\/span> Order order =<\/span> orderRepository.<\/span>findById<\/span>(<\/span>orderId);<\/span> <\/span><\/span> if<\/span>(<\/span>order ==<\/span> null<\/span> ||<\/span> !<\/span>order.<\/span>getUserId<\/span>().<\/span>equals<\/span>(<\/span>getCurrentUserId())){<\/span> <\/span><\/span> throw<\/span> new<\/span> AccessDeniedException(<\/span>"无权访问该订单"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> order;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3. AOP+注解封装<\/h3> @Target<\/span>(<\/span>ElementType.<\/span>METHOD<\/span>)<\/span> <\/span><\/span>@Retention<\/span>(<\/span>RetentionPolicy.<\/span>RUNTIME<\/span>)<\/span> <\/span><\/span>public<\/span> @interface<\/span> ResourceOwner {<\/span> <\/span><\/span> String idParam<\/span>()<\/span> default<\/span> "id"<\/span>;<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>@Aspect<\/span> <\/span><\/span>@Component<\/span> <\/span><\/span>public<\/span> class<\/span> ResourceOwnerAspect<\/span> {<\/span> <\/span><\/span> @Around<\/span>(<\/span>"@annotation(resourceOwner)"<\/span>)<\/span> <\/span><\/span> public<\/span> Object checkOwner<\/span>(<\/span>ProceedingJoinPoint joinPoint,<\/span> <\/span><\/span> ResourceOwner resourceOwner)<\/span> {<\/span> <\/span><\/span> \/\/ 获取参数中的资源ID <\/span><\/span><\/span><\/span> Long resourceId =<\/span> getResourceId(<\/span>joinPoint,<\/span> resourceOwner.<\/span>idParam<\/span>());<\/span> <\/span><\/span> \/\/ 验证当前用户是否为资源所有者 <\/span><\/span><\/span><\/span> if<\/span>(!<\/span>isOwner(<\/span>resourceId)){<\/span> <\/span><\/span> throw<\/span> new<\/span> AccessDeniedException(<\/span>"无权操作该资源"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> joinPoint.<\/span>proceed<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>4. 数据库行级安全(RLS)<\/h3> PostgreSQL等数据库支持行级安全策略：<\/p> CREATE<\/span> POLICY order_owner_policy ON<\/span> orders <\/span><\/span> USING<\/span> (user_id =<\/span> current_user_id()); <\/span><\/span>ALTER<\/span> TABLE<\/span> orders ENABLE ROW<\/span> LEVEL<\/span> SECURITY<\/span>; <\/span><\/span><\/code><\/pre>四、IDOR漏洞挖掘实战<\/h2> 以mall项目为例，分析其权限管理实现和漏洞挖掘过程。<\/p> 1. 垂直权限分析<\/h3> mall的Security模块中，DynamicSecurityFilter<\/code>继承了AbstractSecurityInterceptor<\/code>：<\/p> public<\/span> class<\/span> DynamicSecurityFilter<\/span> extends<\/span> AbstractSecurityInterceptor implements<\/span> Filter {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest servletRequest,<\/span> <\/span><\/span> ServletResponse servletResponse,<\/span> <\/span><\/span> FilterChain filterChain)<\/span> throws<\/span> IOException,<\/span> ServletException {<\/span> <\/span><\/span> \/\/ 权限校验逻辑 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>核心权限决策流程：<\/p> AccessDecisionManager.decide()<\/code>方法调用<\/li> 通过DynamicSecurityMetadataSource.getAttributes()<\/code>获取权限规则<\/li> 规则通过dynamicSecurityService.loadDataSource()<\/code>加载<\/li> 最终从数据库ums_resource<\/code>表读取URL-角色映射规则<\/li> <\/ol> 结论<\/strong>：垂直权限控制完善，难以构造越权。<\/p> 2. 水平权限漏洞挖掘<\/h3> 漏洞一：订单取消越权<\/h4> 接口<\/strong>：\/order\/cancelUserOrder<\/code><\/p> 问题代码<\/strong>：<\/p> @PostMapping<\/span>(<\/span>"\/cancelUserOrder"<\/span>)<\/span> <\/span><\/span>public<\/span> CommonResult cancelUserOrder<\/span>(<\/span>@RequestParam<\/span> Long orderId)<\/span> {<\/span> <\/span><\/span> return<\/span> portalOrderService.<\/span>cancelOrder<\/span>(<\/span>orderId);<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ portalOrderService.cancelOrder实现 <\/span><\/span><\/span><\/span>public<\/span> CommonResult cancelOrder<\/span>(<\/span>Long orderId)<\/span> {<\/span> <\/span><\/span> \/\/ 直接操作订单，未校验订单归属 <\/span><\/span><\/span><\/span> orderMapper.<\/span>updateStatus<\/span>(<\/span>orderId,<\/span> 4<\/span>);<\/span> \/\/ 4表示已取消 <\/span><\/span><\/span><\/span> return<\/span> CommonResult.<\/span>success<\/span>(<\/span>null<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>利用步骤<\/strong>：<\/p> 注册新用户（无任何订单）<\/li> 从数据库选择其他用户的订单ID（如状态为未支付的73号订单）<\/li> 向接口发送取消请求： POST \/order\/cancelUserOrder <\/span><\/span><\/span>Content-Type: application\/x-www-form-urlencoded <\/span><\/span><\/span> <\/span><\/span><\/span>orderId=73 <\/span><\/span><\/span><\/code><\/pre><\/li> 数据库检查确认订单状态被修改<\/li> <\/ol> 漏洞二：支付状态篡改<\/h4> 接口<\/strong>：\/order\/paySuccess<\/code><\/p> 问题代码<\/strong>：<\/p> @PostMapping<\/span>(<\/span>"\/paySuccess"<\/span>)<\/span> <\/span><\/span>public<\/span> CommonResult paySuccess<\/span>(<\/span>@RequestParam<\/span> Long orderId,<\/span> <\/span><\/span> @RequestParam<\/span> Integer payType)<\/span> {<\/span> <\/span><\/span> return<\/span> portalOrderService.<\/span>paySuccess<\/span>(<\/span>orderId,<\/span> payType);<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ portalOrderService.paySuccess实现 <\/span><\/span><\/span><\/span>public<\/span> CommonResult paySuccess<\/span>(<\/span>Long orderId,<\/span> Integer payType)<\/span> {<\/span> <\/span><\/span> \/\/ 直接修改订单状态为已支付，无任何校验 <\/span><\/span><\/span><\/span> orderMapper.<\/span>updateStatus<\/span>(<\/span>orderId,<\/span> 1<\/span>);<\/span> \/\/ 1表示待发货 <\/span><\/span><\/span><\/span> return<\/span> CommonResult.<\/span>success<\/span>(<\/span>null<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>严重性<\/strong>：<\/p> 实现0元购：未支付订单直接改为已支付<\/li> 平台攻击：枚举修改大量订单状态，导致交易系统瘫痪<\/li> <\/ol> 利用步骤<\/strong>：<\/p> 选择未支付订单（如73号）<\/li> 发送支付成功请求： POST \/order\/paySuccess <\/span><\/span><\/span>Content-Type: application\/x-www-form-urlencoded <\/span><\/span><\/span> <\/span><\/span><\/span>orderId=73&payType=1 <\/span><\/span><\/span><\/code><\/pre><\/li> 数据库检查确认订单状态变为"待发货"<\/li> <\/ol> 五、防御建议<\/h2> 垂直权限<\/strong>：<\/p> 使用Spring Security或Shiro框架<\/li> 采用RBAC模型管理角色和权限<\/li> 最小权限原则分配权限<\/li> <\/ul> <\/li> 水平权限<\/strong>：<\/p> 所有涉及资源ID的操作必须校验归属<\/li> 使用统一拦截器或AOP处理资源权限<\/li> 数据库查询自动添加用户ID条件<\/li> 考虑行级安全(RLS)方案<\/li> <\/ul> <\/li> 代码审计重点<\/strong>：<\/p> 检查所有接收资源ID的接口<\/li> 验证Service层是否进行归属判断<\/li> 确保数据库查询包含用户条件<\/li> 特别注意状态修改类操作<\/li> <\/ul> <\/li> 测试建议<\/strong>：<\/p> 使用不同权限账户测试相同接口<\/li> 尝试操作非自己拥有的资源ID<\/li> 自动化扫描工具结合人工验证<\/li> <\/ul> <\/li> <\/ol> 六、总结<\/h2> 垂直权限通常框架完善，风险较低<\/li> 水平权限分散在业务代码中，是审计重点<\/li> IDOR漏洞难以通过自动化工具发现，需要人工仔细审查<\/li> 所有接收资源ID的操作必须进行归属校验<\/li> 状态修改类接口需要特别关注权限控制<\/li> <\/ol> 通过本案例可以看出，即使是在star数很高的开源项目中，水平权限控制也容易出现问题。开发者和安全审计人员都应给予足够重视。<\/p>