Spring Security动态配置资源权限分析与安全审计指南<\/h1>

0x00 概述<\/h2>

Spring Security中实现通过数据库动态配置URL资源权限的核心机制是通过配置验证过滤器来实现资源权限的加载和验证。主要流程包括：<\/p>

系统启动时从数据库加载系统资源权限列表<\/li>
用户登录时将用户资源权限列表添加到用户信息中<\/li>

请求访问时对比系统资源权限列表和用户资源权限列表进行权限判断<\/li> <\/ol>

0x01 关键组件<\/h2>

1.1 核心配置项<\/h3>

实现动态资源权限配置需要以下关键组件：<\/p>

securityMetadataSource<\/strong>：<\/p>

实现FilterInvocationSecurityMetadataSource<\/code>接口<\/li>
负责加载资源权限配置<\/li> <\/ul> <\/li>
accessDecisionManager<\/strong>：<\/p> 自定义AccessDecisionManager<\/code><\/li> 决定用户是否有权限访问资源<\/li> <\/ul> <\/li> filterSecurityInterceptor<\/strong>：<\/p> 继承AbstractSecurityInterceptor<\/code>并实现Filter<\/code>接口<\/li> 自定义验证过滤器替换默认验证过滤器<\/li> <\/ul> <\/li> WebSecurityConfig<\/strong>：<\/p> 系统配置类<\/li> 启用filterSecurityInterceptor<\/code><\/li> <\/ul> <\/li> <\/ol> 注意：从Spring Security 6开始，FilterSecurityInterceptor<\/code>被AuthorizationFilter<\/code>替代，主要通过access<\/code>方法实现权限控制。<\/p> <\/blockquote> 1.2 Spring Security 6+实现示例<\/h3> @Bean<\/span> <\/span><\/span>SecurityFilterChain securityFilterChain<\/span>(<\/span>HttpSecurity http)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> http.<\/span>authorizeHttpRequests<\/span>(<\/span>register -><\/span> register.<\/span>anyRequest<\/span>().<\/span>access<\/span>((<\/span>authentication,<\/span> object)<\/span> -><\/span> {<\/span> <\/span><\/span> \/\/ 检查请求URL是否匹配数据库中的配置 <\/span><\/span><\/span><\/span> boolean<\/span> isMatch =<\/span> false<\/span>;<\/span> <\/span><\/span> String requestURI =<\/span> object.<\/span>getRequest<\/span>().<\/span>getRequestURI<\/span>();<\/span> <\/span><\/span> List<<\/span>MenuWithRoleVO><\/span> menuWithRole =<\/span> menuService.<\/span>getMenuWithRole<\/span>();<\/span> <\/span><\/span> <\/span><\/span> for<\/span> (<\/span>MenuWithRoleVO m :<\/span> menuWithRole)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>antPathMatcher.<\/span>match<\/span>(<\/span>m.<\/span>getUrl<\/span>(),<\/span> requestURI))<\/span> {<\/span> <\/span><\/span> isMatch =<\/span> true<\/span>;<\/span> <\/span><\/span> List<<\/span>Role><\/span> roles =<\/span> m.<\/span>getRoles<\/span>();<\/span> <\/span><\/span> Collection<?<\/span> extends<\/span> GrantedAuthority><\/span> authorities =<\/span> authentication.<\/span>get<\/span>().<\/span>getAuthorities<\/span>();<\/span> <\/span><\/span> <\/span><\/span> for<\/span> (<\/span>GrantedAuthority authority :<\/span> authorities)<\/span> {<\/span> <\/span><\/span> for<\/span> (<\/span>Role role :<\/span> roles)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>authority.<\/span>getAuthority<\/span>().<\/span>equals<\/span>(<\/span>role.<\/span>getName<\/span>()))<\/span> {<\/span> <\/span><\/span> return<\/span> new<\/span> AuthorizationDecision(<\/span>true<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> if<\/span> (!<\/span>isMatch)<\/span> {<\/span> <\/span><\/span> \/\/ 未匹配的URL，只要登录就能访问 <\/span><\/span><\/span><\/span> if<\/span> (<\/span>authentication.<\/span>get<\/span>()<\/span> instanceof<\/span> AnonymousAuthenticationToken)<\/span> {<\/span> <\/span><\/span> return<\/span> new<\/span> AuthorizationDecision(<\/span>false<\/span>);<\/span> <\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> return<\/span> new<\/span> AuthorizationDecision(<\/span>true<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> new<\/span> AuthorizationDecision(<\/span>false<\/span>);<\/span> <\/span><\/span> }))<\/span> <\/span><\/span> .<\/span>formLogin<\/span>(<\/span>form -><\/span> \/*...*\/<\/span>)<\/span> <\/span><\/span> .<\/span>csrf<\/span>(<\/span>csrf -><\/span> \/*...*\/<\/span>)<\/span> <\/span><\/span> .<\/span>exceptionHandling<\/span>(<\/span>e -><\/span> \/*...*\/<\/span>)<\/span> <\/span><\/span> .<\/span>logout<\/span>(<\/span>logout -><\/span> \/*...*\/<\/span>);<\/span> <\/span><\/span> <\/span><\/span> return<\/span> http.<\/span>build<\/span>();<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>0x02 关键实现细节<\/h2> 2.1 FilterInvocation类<\/h3> org.springframework.security.web.FilterInvocation<\/code>封装HTTP请求和响应，在安全过滤链中传递请求上下文信息。关键方法：<\/p> getRequest()<\/code>：获取HttpServletRequest对象<\/li> getResponse()<\/code>：获取HttpServletResponse对象<\/li> getRequestUrl()<\/code>：获取请求URL<\/li> <\/ul> 2.2 请求路径获取方式<\/h3> 主要通过org.springframework.security.web.util.UrlUtils<\/code>工具类处理：<\/p> buildFullRequestUrl<\/strong>：<\/p> 通过requestURI获取完整URL<\/li> 包含协议、端口等额外信息<\/li> 不做过多处理<\/li> <\/ul> <\/li> buildRequestUrl<\/strong>：<\/p> 优先使用servletPath获取请求路径<\/li> servletPath为空时使用requestURI<\/li> 对请求路径进行归一化处理<\/li> <\/ul> <\/li> <\/ol> 0x03 安全审计关键点<\/h2> 3.1 HttpFirewall防护<\/h3> Spring Security提供HttpFirewall<\/code>接口处理非法请求，默认使用StrictHttpFirewall<\/code>：<\/p> 校验URL是否规范<\/li> 拦截;<\/code>、\/\/<\/code>、..\/<\/code>等特殊字符<\/li> 高版本增加换行符等黑名单规则<\/li> <\/ul> 3.2 常见绕过风险<\/h3> 3.2.1 ?参数绕过<\/h4> UrlUtils#buildRequestUrl<\/code>在query不为空时会拼接?<\/code>和参数，可能导致绕过：<\/p> \/\/ 假设匹配逻辑 <\/span><\/span><\/span><\/span>if<\/span> (<\/span>antPathMatcher.<\/span>match<\/span>(<\/span>"\/admin\/manage"<\/span>,<\/span> fi.<\/span>getRequestUrl<\/span>()))<\/span> {<\/span> <\/span><\/span> \/\/ 权限检查 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ 绕过方式：访问\/admin\/manage? <\/span><\/span><\/span><\/code><\/pre>3.2.2 尾部斜杠绕过<\/h4> 利用Spring Web的TrailingSlashMatch特性：<\/p> 低版本：TrailingSlashMatch<\/code><\/li> 高版本：matchOptionalTrailingSeparator<\/code>属性<\/li> <\/ul> 请求路径尾部存在额外斜杠可能绕过权限检查。<\/p> 3.2.3 AntPathMatcher解析差异<\/h4> 不同版本AntPathMatcher<\/code>\/AntPathRequestMatcher<\/code>存在差异：<\/p> 5.3.22版本前：Pattern不配置dotall模式，不匹配\r<\/code>、\n<\/code><\/li> 5.3.22版本后：配置dotall模式，.<\/code>匹配任何字符包括行结束符<\/li> <\/ul> 绕过示例<\/strong>：<\/p> \/\/ 匹配逻辑 <\/span><\/span><\/span><\/span>antPathMatcher.<\/span>match<\/span>(<\/span>"\/admin\/{name}"<\/span>,<\/span> fi.<\/span>getRequestUrl<\/span>())<\/span> <\/span><\/span> <\/span><\/span>\/\/ 绕过方式：访问\/admin\/%0d%0a <\/span><\/span><\/span><\/code><\/pre>3.3 安全实现建议<\/h3> 统一路径规范化处理<\/li> 严格校验请求路径<\/li> 使用最新版本Spring Security<\/li> 自定义HttpFirewall<\/code>增强防护<\/li> 对未匹配路径采用默认拒绝策略<\/li> <\/ol> 0x04 典型实现示例<\/h2> 4.1 自定义SecurityMetadataSource<\/h3> @Override<\/span> <\/span><\/span>public<\/span> Collection<<\/span>ConfigAttribute><\/span> getAttributes<\/span>(<\/span>Object object)<\/span> throws<\/span> IllegalArgumentException {<\/span> <\/span><\/span> String requestUrl =<\/span> ((<\/span>FilterInvocation)<\/span> object).<\/span>getRequestUrl<\/span>();<\/span> <\/span><\/span> List<<\/span>Menu><\/span> menus =<\/span> menuService.<\/span>getAllMenusWithRole<\/span>();<\/span> <\/span><\/span> <\/span><\/span> for<\/span> (<\/span>Menu menu :<\/span> menus)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>antPathMatcher.<\/span>match<\/span>(<\/span>menu.<\/span>getUrl<\/span>(),<\/span> requestUrl))<\/span> {<\/span> <\/span><\/span> List<<\/span>Role><\/span> roles =<\/span> menu.<\/span>getRoles<\/span>();<\/span> <\/span><\/span> String[]<\/span> str =<\/span> new<\/span> String[<\/span>roles.<\/span>size<\/span>()];<\/span> <\/span><\/span> for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> roles.<\/span>size<\/span>();<\/span> i++)<\/span> {<\/span> <\/span><\/span> str[<\/span>i]<\/span> =<\/span> roles.<\/span>get<\/span>(<\/span>i).<\/span>getName<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> SecurityConfig.<\/span>createList<\/span>(<\/span>str);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> SecurityConfig.<\/span>createList<\/span>(<\/span>"ROLE_LOGIN"<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>4.2 路径匹配增强<\/h3> \/\/ 增强的路径匹配逻辑 <\/span><\/span><\/span><\/span>private<\/span> boolean<\/span> securePathMatch<\/span>(<\/span>String pattern,<\/span> String path)<\/span> {<\/span> <\/span><\/span> \/\/ 1. 规范化路径 <\/span><\/span><\/span><\/span> path =<\/span> StringUtils.<\/span>cleanPath<\/span>(<\/span>path);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 2. 移除查询参数 <\/span><\/span><\/span><\/span> if<\/span> (<\/span>path.<\/span>contains<\/span>(<\/span>"?"<\/span>))<\/span> {<\/span> <\/span><\/span> path =<\/span> path.<\/span>substring<\/span>(<\/span>0<\/span>,<\/span> path.<\/span>indexOf<\/span>(<\/span>"?"<\/span>));<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> \/\/ 3. 处理尾部斜杠 <\/span><\/span><\/span><\/span> if<\/span> (!<\/span>pattern.<\/span>endsWith<\/span>(<\/span>"\/"<\/span>)<\/span> &&<\/span> path.<\/span>endsWith<\/span>(<\/span>"\/"<\/span>))<\/span> {<\/span> <\/span><\/span> path =<\/span> path.<\/span>substring<\/span>(<\/span>0<\/span>,<\/span> path.<\/span>length<\/span>()<\/span> -<\/span> 1<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> \/\/ 4. 使用最新版匹配器 <\/span><\/span><\/span><\/span> return<\/span> antPathMatcher.<\/span>match<\/span>(<\/span>pattern,<\/span> path);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>0x05 总结<\/h2> 动态配置URL资源权限时，审计重点应关注：<\/p> 路径获取和匹配的实现方式<\/li> 不同版本间的解析差异<\/li> 特殊字符和边缘情况的处理<\/li> 默认策略的安全性<\/li> 与框架其他安全组件的协同工作<\/li> <\/ol> 通过全面考虑这些方面，可以有效避免权限绕过等安全问题。<\/p>