Spring Web 中路径前缀获取方式与权限绕过风险分析<\/h1>

1. 背景与问题概述<\/h2>

在 Spring Web 应用中，路径前缀（Context Path）是 Web 应用部署时的基础路径，通常用于区分同一服务器上部署的不同应用。在权限控制场景中，路径前缀的正确处理至关重要，因为：<\/p>

权限系统通常基于完整路径进行访问控制<\/li>
路径前缀处理不当可能导致权限绕过风险<\/li>

不同环境下（开发\/测试\/生产）路径前缀可能不同<\/li> <\/ol>

2. Spring Web 中获取路径前缀的方式<\/h2>

2.1 通过 HttpServletRequest 获取<\/h3>

\/\/ 获取 context path (包含结尾斜杠)
<\/span><\/span><\/span><\/span>String contextPath =<\/span> request.<\/span>getContextPath<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 获取 servlet path (不包含 context path)
<\/span><\/span><\/span><\/span>String servletPath =<\/span> request.<\/span>getServletPath<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 获取 path info (位于 servlet path 之后)
<\/span><\/span><\/span><\/span>String pathInfo =<\/span> request.<\/span>getPathInfo<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 获取完整请求 URI (包含 context path)
<\/span><\/span><\/span><\/span>String requestURI =<\/span> request.<\/span>getRequestURI<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>2.2 通过 Spring 工具类获取<\/h3>
import<\/span> org.springframework.web.util.WebUtils;<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 获取相对于 context path 的路径
<\/span><\/span><\/span><\/span>String pathWithinApplication =<\/span> WebUtils.<\/span>getPathWithinApplication<\/span>(<\/span>request);<\/span>
<\/span><\/span><\/code><\/pre>2.3 通过 Spring MVC 的 HandlerMapping 常量<\/h3>
\/\/ 获取原始路径（包含 context path）
<\/span><\/span><\/span><\/span>String lookupPath =<\/span> (<\/span>String)<\/span> request.<\/span>getAttribute<\/span>(<\/span>HandlerMapping.<\/span>PATH_WITHIN_HANDLER_MAPPING_ATTRIBUTE<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>2.4 通过 UrlPathHelper 工具类<\/h3>
import<\/span> org.springframework.web.util.UrlPathHelper;<\/span>
<\/span><\/span>
<\/span><\/span>UrlPathHelper pathHelper =<\/span> new<\/span> UrlPathHelper();<\/span>
<\/span><\/span>\/\/ 获取 context path
<\/span><\/span><\/span><\/span>String ctxPath =<\/span> pathHelper.<\/span>getContextPath<\/span>(<\/span>request);<\/span>
<\/span><\/span>\/\/ 获取 lookup path (不包含 context path)
<\/span><\/span><\/span><\/span>String lookupPath =<\/span> pathHelper.<\/span>getLookupPathForRequest<\/span>(<\/span>request);<\/span>
<\/span><\/span><\/code><\/pre>3. 路径处理中的常见问题<\/h2>
3.1 路径拼接问题<\/h3>
错误示例：<\/p>
String fullPath =<\/span> request.<\/span>getContextPath<\/span>()<\/span> +<\/span> "\/api\/resource"<\/span>;<\/span>
<\/span><\/span>\/\/ 当 contextPath 为 "\/app" 时，会得到 "\/app\/\/api\/resource" (双斜杠)
<\/span><\/span><\/span><\/code><\/pre>正确做法：<\/p>
String fullPath =<\/span> request.<\/span>getContextPath<\/span>()<\/span> +<\/span> "api\/resource"<\/span>;<\/span>
<\/span><\/span>\/\/ 或者使用 UriComponentsBuilder
<\/span><\/span><\/span><\/code><\/pre>3.2 路径标准化问题<\/h3>
Spring 默认会对路径进行标准化处理（移除多余的斜杠、路径遍历符等），但某些情况下需要手动处理：<\/p>
import<\/span> org.springframework.web.util.UriUtils;<\/span>
<\/span><\/span>
<\/span><\/span>String normalizedPath =<\/span> UriUtils.<\/span>encodePath<\/span>(<\/span>path,<\/span> "UTF-8"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>4. 权限绕过风险分析<\/h2>
4.1 风险场景<\/h3>

路径前缀不一致<\/strong>：开发环境使用空前缀，生产环境使用非空前缀<\/li>
路径解析差异<\/strong>：权限系统与应用系统解析路径方式不同<\/li>
路径标准化差异<\/strong>：不同组件对路径标准化的处理不一致<\/li>
<\/ol>
4.2 典型漏洞模式<\/h3>


双斜杠绕过<\/strong>：<\/p>
\/app\/\/admin\/ → 可能被解析为 \/admin\/
<\/code><\/pre>
<\/li>

路径遍历绕过<\/strong>：<\/p>
\/app\/..\/admin\/ → 可能被标准化为 \/admin\/
<\/code><\/pre>
<\/li>

大小写混淆<\/strong>：<\/p>
\/App\/admin\/ 与 \/app\/admin\/ 可能被视为不同路径
<\/code><\/pre>
<\/li>

URL 编码混淆<\/strong>：<\/p>
\/app\/%61dmin\/ → 解码后为 \/app\/admin\/
<\/code><\/pre>
<\/li>
<\/ol>
5. 安全防护建议<\/h2>
5.1 统一路径获取方式<\/h3>
在整个应用中统一使用一种路径获取方式，避免混合使用不同方法。<\/p>
5.2 显式配置 Context Path<\/h3>
在 application.properties 中明确配置：<\/p>
server.servlet.context-path=\/myapp
<\/code><\/pre>
5.3 权限校验实现建议<\/h3>
\/\/ 获取标准化后的完整路径
<\/span><\/span><\/span><\/span>String requestPath =<\/span> new<\/span> UrlPathHelper().<\/span>getPathWithinApplication<\/span>(<\/span>request);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 或者使用 Spring Security 的 AntPathMatcher
<\/span><\/span><\/span><\/span>AntPathMatcher pathMatcher =<\/span> new<\/span> AntPathMatcher();<\/span>
<\/span><\/span>boolean<\/span> match =<\/span> pathMatcher.<\/span>match<\/span>(<\/span>"\/admin\/**"<\/span>,<\/span> requestPath);<\/span>
<\/span><\/span><\/code><\/pre>5.4 防御性编程<\/h3>
\/\/ 路径标准化处理
<\/span><\/span><\/span><\/span>private<\/span> String normalizePath<\/span>(<\/span>String path)<\/span> {<\/span>
<\/span><\/span>    path =<\/span> StringUtils.<\/span>trimWhitespace<\/span>(<\/span>path);<\/span>
<\/span><\/span>    path =<\/span> StringUtils.<\/span>cleanPath<\/span>(<\/span>path);<\/span> \/\/ 处理路径遍历
<\/span><\/span><\/span><\/span>    if<\/span> (!<\/span>path.<\/span>startsWith<\/span>(<\/span>"\/"<\/span>))<\/span> {<\/span>
<\/span><\/span>        path =<\/span> "\/"<\/span> +<\/span> path;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> path.<\/span>toLowerCase<\/span>();<\/span> \/\/ 可选：统一小写处理
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>6. 测试验证方法<\/h2>

双斜杠测试<\/strong>：\/app\/\/admin\/<\/code><\/li>
路径遍历测试<\/strong>：\/app\/..\/admin\/<\/code><\/li>
大小写测试<\/strong>：\/App\/admin\/<\/code><\/li>
URL 编码测试<\/strong>：\/app\/%61dmin\/<\/code><\/li>
后缀测试<\/strong>：\/app\/admin.jsp<\/code><\/li>
空路径测试<\/strong>：\/app\/\/<\/code><\/li>
<\/ol>
7. 总结<\/h2>
正确处理 Spring Web 中的路径前缀对于应用安全至关重要，特别是在权限控制场景中。开发者应当：<\/p>

理解并统一使用一种路径获取方式<\/li>
对路径进行标准化处理<\/li>
在权限校验时考虑各种路径变形情况<\/li>
在不同环境中测试路径处理逻辑<\/li>
<\/ol>
通过规范化的路径处理和严格的权限校验，可以有效避免因路径前缀处理不当导致的权限绕过风险。<\/p>

Spring Web 中路径前缀获取方式与权限绕过风险分析<\/h1>

2. Spring Web 中获取路径前缀的方式<\/h2>

3. 路径处理中的常见问题<\/h2>

4. 权限绕过风险分析<\/h2>

5. 安全防护建议<\/h2>

5.1 统一路径获取方式<\/h3> 在整个应用中统一使用一种路径获取方式，避免混合使用不同方法。<\/p>

5.1 统一路径获取方式<\/h3>
在整个应用中统一使用一种路径获取方式，避免混合使用不同方法。<\/p>