spring mvc url匹配禁用后綴訪問操作

更新時間：2021年07月19日 08:47:12 作者：Felix Zh

這篇文章主要介紹了spring mvc url匹配禁用后綴訪問操作，具有很好的參考價值，希望對大家有所幫助。以上為個人經(jīng)驗(yàn)，希望能給大家一個參考，也希望大家多多支持腳本之家

spring mvc url匹配禁用后綴訪問

在spring mvc中默認(rèn) 訪問url 加任意后綴名都能訪問

比如：你想訪問 /login ，但是通過 /login.do /login.action /login.json 都能訪問

通常來說可能沒有影響，但對于權(quán)限控制，這就嚴(yán)重了。

權(quán)限控制通常有兩種思路：

1）弱權(quán)限控制

允許所有url通過，僅對個別重要的url做權(quán)限控制。此種方式比較簡單，不需要對所有url資源進(jìn)行配置，只配置重要的資源。

2）強(qiáng)權(quán)限控制

默認(rèn)禁止所有url請求通過，僅開放授權(quán)的資源。此種方式對所有的url資源進(jìn)行控制。在系統(tǒng)種需要整理所有的請求，或者某一目錄下所有的url資源。這種方式安全控制比較嚴(yán)格，操作麻煩，但相對安全。

如果用第二種方式，則上面spring mvc的訪問策略對安全沒有影響。

但如果用第一種安全策略，則會有很大的安全風(fēng)險。

例如：我們控制了/login 的訪問，但是我們默認(rèn)除/login的資源不受權(quán)限控制約束，那么攻擊者就可以用 /login.do /login.xxx 來訪問我們的資源。

在spring 3.1之后，url找對應(yīng)方法的處理步驟，第一步，直接調(diào)用RequestMappingHandlerMapping查找到相應(yīng)的處理方法，第二步，調(diào)用RequestMappingHandlerAdapter進(jìn)行處理

我們在RequestMappingHandlerMapping中可以看到

/**
 * Whether to use suffix pattern match for registered file extensions only
 * when matching patterns to requests.
 * <p>If enabled, a controller method mapped to "/users" also matches to
 * "/users.json" assuming ".json" is a file extension registered with the
 * provided {@link #setContentNegotiationManager(ContentNegotiationManager)
 * contentNegotiationManager}. This can be useful for allowing only specific
 * URL extensions to be used as well as in cases where a "." in the URL path
 * can lead to ambiguous interpretation of path variable content, (e.g. given
 * "/users/{user}" and incoming URLs such as "/users/john.j.joe" and
 * "/users/john.j.joe.json").
 * <p>If enabled, this flag also enables
 * {@link #setUseSuffixPatternMatch(boolean) useSuffixPatternMatch}. The
 * default value is {@code false}.
 */
public void setUseRegisteredSuffixPatternMatch(boolean useRegisteredSuffixPatternMatch) {
   this.useRegisteredSuffixPatternMatch = useRegisteredSuffixPatternMatch;
   this.useSuffixPatternMatch = (useRegisteredSuffixPatternMatch || this.useSuffixPatternMatch);
}

那么如何來配置呢？

  <mvc:annotation-driven>
    <mvc:path-matching suffix-pattern="false" />
  </mvc:annotation-driven>

在匹配模式時是否使用后綴模式匹配，默認(rèn)值為true。這樣你想訪問 /login ，通過 /login.* 就不能訪問了。

spring mvc 之請求url 帶后綴的情況

RequestMappingInfoHandlerMapping 在處理http請求的時候，如果請求url 有后綴，如果找不到精確匹配的那個@RequestMapping方法。

那么，就把后綴去掉，然后.* 去匹配，這樣，一般都可以匹配。比如有一個@RequestMapping("/rest"), 那么精確匹配的情況下，只會匹配/rest請求。

但如果我前端發(fā)來一個 /rest.abcdef 這樣的請求，又沒有配置 @RequestMapping("/rest.abcdef") 這樣映射的情況下，那么@RequestMapping("/rest") 就會生效。

原理呢？處理鏈?zhǔn)沁@樣的：

at org.springframework.web.servlet.mvc.condition.PatternsRequestCondition.getMatchingPattern(PatternsRequestCondition.java:254)
at org.springframework.web.servlet.mvc.condition.PatternsRequestCondition.getMatchingPatterns(PatternsRequestCondition.java:230)
at org.springframework.web.servlet.mvc.condition.PatternsRequestCondition.getMatchingCondition(PatternsRequestCondition.java:210)
at org.springframework.web.servlet.mvc.method.RequestMappingInfo.getMatchingCondition(RequestMappingInfo.java:214)
at org.springframework.web.servlet.mvc.method.RequestMappingInfoHandlerMapping.getMatchingMapping(RequestMappingInfoHandlerMapping.java:79)
at org.springframework.web.servlet.mvc.method.RequestMappingInfoHandlerMapping.getMatchingMapping(RequestMappingInfoHandlerMapping.java:56)
at org.springframework.web.servlet.handler.AbstractHandlerMethodMapping.addMatchingMappings(AbstractHandlerMethodMapping.java:358)
at org.springframework.web.servlet.handler.AbstractHandlerMethodMapping.lookupHandlerMethod(AbstractHandlerMethodMapping.java:328)
at org.springframework.web.servlet.handler.AbstractHandlerMethodMapping.getHandlerInternal(AbstractHandlerMethodMapping.java:299)
at org.springframework.web.servlet.handler.AbstractHandlerMethodMapping.getHandlerInternal(AbstractHandlerMethodMapping.java:57)
at org.springframework.web.servlet.handler.AbstractHandlerMapping.getHandler(AbstractHandlerMapping.java:299)
at org.springframework.web.servlet.DispatcherServlet.getHandler(DispatcherServlet.java:1104)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:916)

關(guān)鍵是PatternsRequestCondition，具體來說是這個方法：

AbstractHandlerMethodMapping 的getHandlerInternal：
    protected HandlerMethod getHandlerInternal(HttpServletRequest request) throws Exception {
        String lookupPath = this.getUrlPathHelper().getLookupPathForRequest(request);
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Looking up handler method for path " + lookupPath);
        }
        HandlerMethod handlerMethod = this.lookupHandlerMethod(lookupPath, request);// 這里是關(guān)鍵，它去尋找，找到了就找到了，找不到就不會再去尋找了
        if (this.logger.isDebugEnabled()) {
            if (handlerMethod != null) {
                this.logger.debug("Returning handler method [" + handlerMethod + "]");
            } else {
                this.logger.debug("Did not find handler method for [" + lookupPath + "]");
            }
        }
        return handlerMethod != null ? handlerMethod.createWithResolvedBean() : null;
    }
    
    
    protected HandlerMethod lookupHandlerMethod(String lookupPath, HttpServletRequest request) throws Exception {
        List<AbstractHandlerMethodMapping<T>.Match> matches = new ArrayList();
        List<T> directPathMatches = (List)this.urlMap.get(lookupPath); // directPathMatches， 直接匹配， 也可以說是 精確匹配
        if (directPathMatches != null) {
            this.addMatchingMappings(directPathMatches, matches, request);// 如果能夠精確匹配， 就會進(jìn)來這里
        }
        if (matches.isEmpty()) {
            this.addMatchingMappings(this.handlerMethods.keySet(), matches, request);// 如果無法精確匹配， 就會進(jìn)來這里
        }
        if (!matches.isEmpty()) {
            Comparator<AbstractHandlerMethodMapping<T>.Match> comparator = new AbstractHandlerMethodMapping.MatchComparator(this.getMappingComparator(request));
            Collections.sort(matches, comparator);
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("Found " + matches.size() + " matching mapping(s) for [" + lookupPath + "] : " + matches);
            }
            AbstractHandlerMethodMapping<T>.Match bestMatch = (AbstractHandlerMethodMapping.Match)matches.get(0);
            if (matches.size() > 1) {
                AbstractHandlerMethodMapping<T>.Match secondBestMatch = (AbstractHandlerMethodMapping.Match)matches.get(1);
                if (comparator.compare(bestMatch, secondBestMatch) == 0) {
                    Method m1 = bestMatch.handlerMethod.getMethod();
                    Method m2 = secondBestMatch.handlerMethod.getMethod();
                    throw new IllegalStateException("Ambiguous handler methods mapped for HTTP path '" + request.getRequestURL() + "': {" + m1 + ", " + m2 + "}");
                }
            }
            this.handleMatch(bestMatch.mapping, lookupPath, request);
            return bestMatch.handlerMethod;
        } else {
            return this.handleNoMatch(this.handlerMethods.keySet(), lookupPath, request);
        }
    }
    
    public List<String> getMatchingPatterns(String lookupPath) {
        List<String> matches = new ArrayList();
        Iterator var3 = this.patterns.iterator();
        while(var3.hasNext()) {
            String pattern = (String)var3.next(); // pattern 是 @RequestMapping 提供的映射
            String match = this.getMatchingPattern(pattern, lookupPath); //  lookupPath + .*  后能夠匹配pattern， 那么就不為空
            if (match != null) {
                matches.add(match);// 對于有后綴的情況， .* 后
            }
        }
        Collections.sort(matches, this.pathMatcher.getPatternComparator(lookupPath));
        return matches;
    }
    最關(guān)鍵是這里 getMatchingPatterns ：
    private String getMatchingPattern(String pattern, String lookupPath) {
        if (pattern.equals(lookupPath)) {
            return pattern;
        } else {
            if (this.useSuffixPatternMatch) {
                if (!this.fileExtensions.isEmpty() && lookupPath.indexOf(46) != -1) {
                    Iterator var5 = this.fileExtensions.iterator();
                    while(var5.hasNext()) {
                        String extension = (String)var5.next();
                        if (this.pathMatcher.match(pattern + extension, lookupPath)) {
                            return pattern + extension;
                        }
                    }
                } else {
                    boolean hasSuffix = pattern.indexOf(46) != -1;
                    if (!hasSuffix && this.pathMatcher.match(pattern + ".*", lookupPath)) {
                        return pattern + ".*"; // 關(guān)鍵是這里
                    }
                }
            }
            if (this.pathMatcher.match(pattern, lookupPath)) {
                return pattern;
            } else {
                return this.useTrailingSlashMatch && !pattern.endsWith("/") && this.pathMatcher.match(pattern + "/", lookupPath) ? pattern + "/" : null;
            }
        }
    }

而對于AbstractUrlHandlerMapping ，匹配不上就是匹配不上，不會進(jìn)行 +.* 后在匹配。

關(guān)鍵方法是這個：

protected Object lookupHandler(String urlPath, HttpServletRequest request) throws Exception {
        Object handler = this.handlerMap.get(urlPath);
        if (handler != null) {
            if (handler instanceof String) {
                String handlerName = (String)handler;
                handler = this.getApplicationContext().getBean(handlerName);
            }
            this.validateHandler(handler, request);
            return this.buildPathExposingHandler(handler, urlPath, urlPath, (Map)null);
        } else {
            List<String> matchingPatterns = new ArrayList();
            Iterator var5 = this.handlerMap.keySet().iterator();
            while(var5.hasNext()) {
                String registeredPattern = (String)var5.next();
                if (this.getPathMatcher().match(registeredPattern, urlPath)) {
                    matchingPatterns.add(registeredPattern);
                }
            }
            String bestPatternMatch = null;
            Comparator<String> patternComparator = this.getPathMatcher().getPatternComparator(urlPath);
            if (!matchingPatterns.isEmpty()) {
                Collections.sort(matchingPatterns, patternComparator);
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("Matching patterns for request [" + urlPath + "] are " + matchingPatterns);
                }
                bestPatternMatch = (String)matchingPatterns.get(0);
            }
            if (bestPatternMatch != null) {
                handler = this.handlerMap.get(bestPatternMatch);
                String pathWithinMapping;
                if (handler instanceof String) {
                    pathWithinMapping = (String)handler;
                    handler = this.getApplicationContext().getBean(pathWithinMapping);
                }
                this.validateHandler(handler, request);
                pathWithinMapping = this.getPathMatcher().extractPathWithinPattern(bestPatternMatch, urlPath);
                Map<String, String> uriTemplateVariables = new LinkedHashMap();
                Iterator var9 = matchingPatterns.iterator();
                while(var9.hasNext()) {
                    String matchingPattern = (String)var9.next();
                    if (patternComparator.compare(bestPatternMatch, matchingPattern) == 0) {
                        Map<String, String> vars = this.getPathMatcher().extractUriTemplateVariables(matchingPattern, urlPath);
                        Map<String, String> decodedVars = this.getUrlPathHelper().decodePathVariables(request, vars);
                        uriTemplateVariables.putAll(decodedVars);
                    }
                }
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("URI Template variables for request [" + urlPath + "] are " + uriTemplateVariables);
                }
                return this.buildPathExposingHandler(handler, bestPatternMatch, pathWithinMapping, uriTemplateVariables);
            } else {
                return null;
            }
        }
    }

當(dāng)然，或許我們可以設(shè)置自定義的PathMatcher ，從而到達(dá)目的。默認(rèn)的是AntPathMatcher 。

以上為個人經(jīng)驗(yàn)，希望能給大家一個參考，也希望大家多多支持腳本之家。

您可能感興趣的文章: