If it's secured, the rookies will have two pains: the plugs will not be integrated, and they will be configured to the pits! Today's one-time solution — common security plugin integration (direct reproduction configuration) + 10 high frequency configuration error areas, with no need to think。
1 background/question introduction
Many java developers at the junior secondary level either do not know what security plugins should be integrated when they are secured under the project, or there is an error in configuration after integration; they either take the enhanced list and step on many hidden error areas。
The incomplete integration of the plugins and the configuration of the pedestals will result in the safe reinforcement of the flow to form and there is still a risk of attack when they are online. Today's integration of two core needs, the integration of plugins into replicable configurations, the allocation of error zones to the correct solution, can be easily handled by newcomers。
2 discussion of core principles
1. An integrated configuration will take effect without its own development from zero if it is based on the central role of the security plugin: to supplement the original safety capability of the framework to cover high-frequency security requirements such as sql injection, xss, interface encryption, riot breaking。
The core principles of plugin integration + configuration: “select pair plugins + correctly configured” are not necessary and sufficient; the configuration is not complex and precise enough to avoid pits, with an emphasis on “landable, non-redundant”。
3. The core cause of a newer step on the pit: either the plugins are wrongly integrated, rely on the missing, or the details (e. G. Key, environment, intercept range) are ignored in the configuration, or the development/production configuration is confused, resulting in the plugins ' failure or project error。
3 example of key code (plugin integration + configuration error, directly replicable)
It is divided into two parts: the integration of commonly used security plugins (replicating effective immediately), and the 10 hf configuration error areas (mistake + correct), which are suitable for the ordinary version, with clear notes and no additional modifications required by the newcomers。
## part i: if using the common security plugin integration guide (direct copy configuration)
The selection of four required integration plugins covering core security requirements is effective without complex development。
###1. Core dependence (pom. Xml, copy to dependency node)I don't know Ruoyi-xs I don't know I'm sorry, cn. Hutool Hutool-crypto 5. 8. 20 It's not like it's a good idea Knife4j-spring-boot-starter 4. 1. 0 I don't know Springfox-swagger2 I don't know Ruoyi-log I don't know ###2. Core configuration of plugin (application-prod. Yml, copy effective)
#1. Xss filter plugin configuration (global effective)
i don't know.
# excluded interfaces (netted interfaces, added as required)
this post is part of our special coverage global development 2011. 2. Rsa encryption plugin configuration (cipher transfer encryption)
security:
rsa:
other organiser
public-key: ${rsa publc key}#2048 or more public keys
private-key: ${rsa private key}# corresponding private key
expire: 300 # key expired 5 minutes
# 3. Interface restricted flow plugin configuration (storm break, focus restricted login interface)
i'm sorry. I can't believe it.
# up to 5 requests per minute
timeout: 60 # restricted time window (sec)
# flow-restricted interface (focus protection login)
i'm sorry.
#4. Log audit plugin configuration (operating log retirement)
ruoyi:
oper-log:
can you do me a favor? Stone-days: 180 # retained for more than 6 months
# the type of operation to record the log
insert, update, delete, export, iMport###3 enabled plugin code (copy to corresponding configuration class without change)
// 1. Xss filter plugin enabled (filterconfig. Java)
@bean
photo courtesy of public filter regulation beanXssfilterregistration()
filterregistration beanRegistration = new filterregulation bean();
(b) registration. Setfilter (new xssfilter());
registration. Addurpattens("/*"); / / global interception
(a) registration. Setname ( "xssfilter");
(a) registration. Setordered. Highest precedence);
i don't know.
♪ i'm sorry ♪
interface limit plugin enabled (ratelimiterconfig. Java, new class copy)
@coI'm sorry. I'm not sure if you're going to do thisNfig
@bean
other organiser
return new latelimiter interceptor();
♪ i'm sorry ♪
@bean
i'm sorry{\bord0\shad0\alphah3d}i'm sorryNfigurer(){
turn new webmvccoNfigurer(){
@override
other organiser
i don't know.
. Addpathpattens("/login"); /// restricted flow interface
♪ i'm sorry ♪
};
♪ i'm sorry ♪
♪ i'm sorry ♪ # # part ii: if 10 hf error zones are configured safely (in error + correct configuration)
When the plugins are integrated, the configuration of the pedals is white, and the 10 wrong-doers must look, each with the right configuration, and copy the replacement。
## # error 1: do not open after plugin integration, equals white integration
# error configuration (plugin dependent on addition but unopened)
security:
rsa:
i can't believe it. I'm sorry. I can't believe it.
# the right configuration (the production environment forces the opening of all plugins)
security:
rsa:
i can't believe it. I'm sorry. I can't believe it.
## # error 2: jwt key default, easily decipherable (plugin depends on key, change)
# error configuration (default key, highly vulnerable)
token:
@secret: abcdefghijklnopqrstuvwxyz
# the right configuration (32 with secret keys, recommended environment variables)
token:
secret: $ {jwt secret}
expire: 7,200 # reduce production to 2 hours
###3 error: database password hard code, no outside
# error configuration
spring:
data:
i don't know. Master:
username: root
password: 123456
# correct configuration (environmental variables read, hard code off)
spring:
data:
i don't know. Master:
username: {db username}
password: {db password}
no, no, no, no, no, no.
# error configuration (no password, public network accessible)
spring:
retis:
other organiser
password: ""
# correct configuration (strength password, access only)
spring:
retis:
host: 127. 0. 0. 1 # intranet ip
password: ${redis password}
## # error 5: druid monitors the default account code without limiting ip
# error configuration (default account number ruoyi, password 123456, no ip limit)
spring:
i don't know. Status-view-service:
this post is part of our special coverage global voices 2011. I'm sorry. Allow: ""
# correct configuration (recoded, only internet ip access)
spring:
i don't know. Status-view-service:
this post is part of our special coverage global voices 2011. Login-password: ${druid password}
allow: 127. 0. 0. 1, 172. Xx. Xx. 0/24
## # error 6: xss filter configuration error, not intercepting all interfaces
# error configuration (no all interfaces stopped or too many excluded)
i don't know. Excludeurls: / * # error: exclude all interfaces, equal to unopened
# correct configuration (only necessary interfaces are excluded)
i don't know. This post is part of our special coverage global development 2011.
## zone 7: sql injections are not secured and # # # # # crash #
# error configuration (mapper. Xml with ${, easily injected)And user name ='${username}♪ i'm sorry ♪ # the right configuration (pre-produced, completely avoided injection)And user name = #username} ## # error 8: unlimited type/size of file upload, easy to pass wooden horse
# error configuration (unlimited to upload dangerous files)
ruoyi:
okay, file:
all-types: "*"
other organiser
# correct configuration (limit type and size, non-web directory storage)
ruoyi:
/data/ruoyi/upload
okay, file:
allow-types: jpg, png, gif, bmp, jpeg, doc, xls, x, ppt, txt, PDF
# 10mb
###9: login without riot control, flow limit plugin white integration
# error configuration (restricted flow plugin on, but unconfigured login intercept)
i'm sorry. Urls: /test# error: no login interface intercepted
# correct configuration (focus intercept login interface)
i'm sorry. I'm sorry.
# up to 5 requests per minute
###10: do not switch to production environment, plugin configuration is invalid
# error configuration (dev environment, plugin not effective)
spring:
i don't know. Activ: dev
# correct configuration (compulsory switching of prod, the plugin is valid)
spring:
i don't know. It's not a good ideaThe above-mentioned plugin integration configuration can be copied directly, with 10 error zones covering all core scenes, and replicating can complete the security enhancements without a brain move, avoiding the plug failure and configuration of the pits。
4 common error areas/problems (emphasis on avoiding duplication of mine action)
Mistake 1: feels that “integrated plugins are enough and the configuration is not changed”. Plugin is only a tool, and the right configuration is the key, for example, the restricted flow plugin does not configure the intercept interface and the rsa plugin does not open, which is equivalent to white integration。
Error 2: plugin relies on conflict and blindly increases dependence. If the xss and log plugins have been integrated in a partial version, check the pom. Xml to avoid double additions, resulting in project start-up failure。
5 summarizing a memory
Under security: plugin integrated copying configuration, 10 error zones are avoided, plugs are opened, keys are changed, access is restricted, and zero-plug-in is online。
