[关闭]
@zhanjindong 2015-02-12T10:10:21.000000Z 字数 11722 阅读 3060

ossp-framework 1.0.2-SNAPSHOT

iFlytek

Javadoc http://172.16.82.32:8282/framework-doc/1.0.2-SNAPSHOT/javadoc

安全类库

调研文档 https://192.168.75.168:8888/svn/YHZ_OSSP2.2/Trunk/Project/03.Study/应用安全/应用程序安全问题调研文档_OSSP2.2.doc

POM依赖

  1. <dependency>
  2.     <groupId>com.iflytek</groupId>
  3.     <artifactId>ossp-framework-security</artifactId>
  4.     <version>1.0.2-SNAPSHOT</version>
  5. </dependency>

主要包

描述
com.iflytek.ossp.framework.security.cleaners 提供相关类用于对用户的非法输入进行过滤和清理。
com.iflytek.ossp.framework.security.codecs Base64比org.apache.commons.codec.binary.Base64.Base64要更快。
com.iflytek.ossp.framework.security.crypto 提供信息加密相关的类或接口,防止敏感信息泄露。
com.iflytek.ossp.framework.security.validation 提供相关的类用于对用户的输入进行合法性验证。
com.iflytek.ossp.framework.security.wrappers 提供一些安全相关的HttpServletRequestWrapper和HttpServletResponseWrapper的封装。
com.iflytek.ossp.framework.security.filters 提供一些用于Servlet程序的过滤器,通过在web.xml简单的配置来防御一些常见的攻击,如:XSS和CSRF.

其中最主要的是com.iflytek.ossp.framework.security.filters这个包,它包含了几个实用的Servlet过滤器:

过滤器 描述
ClickjackFilter (Click Jacking)点击劫持过滤器
CsrfRefererFilter 基于Referer的CSRF过滤器
CsrfStatelessCookieFilter 基于无状态Coooie和请求令牌的CSRF(跨站请求伪造)过滤器
EncryptUrlFilter 提供了一个对URL参数进行解密的过滤器
RequestRateThrottleFilter 用来限制客户端请求的频率
SqlInjectionFilter 简单的SQL注入过滤器
XssFilter XSS(跨站脚本攻击)过滤器

使用方法很简单,以XssFilter为例,web.xml配置如下:

  1. <filter>
  2.     <filter-name>xssFilter</filter-name>
  3.     <filter-class>com.iflytek.ossp.framework.security.filters.XssFilter</filter-class>
  4. </filter>
  5. <filter-mapping>
  6.     <filter-name>xssFilter</filter-name>
  7.     <url-pattern>/security/xss.jsp</url-pattern>
  8. </filter-mapping>

有的过滤器可能会有参数,具体请参看[Javadoc]http://172.16.82.32:8282/framework-doc/1.0.2-SNAPSHOT/javadoc

log4j和logback

  1. public class LoggerFactoryExample {
  3.     // 因为同时存在log4j和logback两个日志系统,如果使用slf4j不同的情况绑定的具体日志系统不确定,
  4.     // 所以这种情况建议直接使用log4j api
  5.     private static Logger log4jLogger = Logger.getLogger(LoggerFactoryExample.class);
  6.     // logback 只能通过slf4j facade来访问
  7.     private static org.slf4j.Logger logbackLogger = LogbackFactory.getLogger(LoggerFactoryExample.class);
  9.     public static void main(String[] args) {
  11.         log4jLogger.debug("log4j debug");
  12.         logbackLogger.debug("logback debug");
  13.     }
  14. }
  1. public class ExtendedLoggerExample {
  3.     private static ExtendedLogger logger = ExtendedLogger.getLogger(ExtendedLoggerExample.class);
  5.     private static final ExtendedLevel BIZLOG = new ExtendedLevel(70000, "BIZLOG");
  6.     private static final ExtendedLevel BIZLOG2 = new ExtendedLevel(80000, "BIZLOG2");
  8.     public static void main(String[] args) {
  10.         ExtendedLogger.register(new ExtendedLevel[] { BIZLOG, BIZLOG2 });
  12.         logger.debug("ExtendedLogger debug test!");
  13.         logger.error("ExtendedLogger error test!");
  14.         logger.log(BIZLOG, "ExtendedLogger biz log test!");
  15.         logger.log(BIZLOG2, "ExtendedLogger biz log2 test!");
  16.     }
  18. }

log4j配置文件示例:

  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <!DOCTYPE log4j:configuration PUBLIC "-//log4j/log4j Configuration//EN" "log4j.dtd">
  3. <log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/"
  4.     threshold="null" debug="null">
  5.     <appender name="CONSOLE" class="org.apache.log4j.ConsoleAppender">
  6.         <param name="Target" value="System.out" />
  7.         <layout class="org.apache.log4j.PatternLayout">
  8.             <param name="ConversionPattern"
  9.                 value="%-d{yyyy-MM-dd HH:mm:ss.SSS}  [ %t:%r ] - [ %p ]  %m%n" />
  10.         </layout>
  11.     </appender>
  13.     <appender name="D" class="org.apache.log4j.DailyRollingFileAppender">
  14.         <param name="File" value="D:/temp/debug.log" />
  15.         <layout class="org.apache.log4j.PatternLayout">
  16.             <param name="ConversionPattern" value="%m%n" />
  17.         </layout>
  18.         <filter class="org.apache.log4j.varia.LevelRangeFilter">
  19.             <param name="LevelMin" value="debug" />
  20.             <param name="LevelMax" value="debug" />
  21.         </filter>
  22.     </appender>
  24.     <appender name="E" class="org.apache.log4j.DailyRollingFileAppender">
  25.         <param name="File" value="D:/temp/error" />
  26.         <layout class="org.apache.log4j.PatternLayout">
  27.             <param name="ConversionPattern" value="%m%n" />
  28.         </layout>
  29.         <filter class="org.apache.log4j.varia.LevelRangeFilter">
  30.             <param name="LevelMin" value="error" />
  31.             <param name="LevelMax" value="fatal" />
  32.         </filter>
  33.     </appender>
  35.     <!-- 自定义日志级别BIZLOG -->
  36.     <appender name="Ext" class="org.apache.log4j.DailyRollingFileAppender">
  37.         <param name="File" value="D:/temp/ext" />
  38.         <layout class="org.apache.log4j.PatternLayout">
  39.             <param name="ConversionPattern"
  40.                 value="%-d{yyyy-MM-dd HH:mm:ss.SSS}  [ %t:%r ] - [ %p ]  %m%n" />
  41.         </layout>
  42.         <filter class="com.iflytek.ossp.framework.common.log.ExtendedFilter">
  43.             <param name="LevelMin" value="BIZLOG" />
  44.             <param name="LevelMax" value="BIZLOG" />
  45.         </filter>
  46.     </appender>
  48.     <!-- 自定义日志级别BIZLOG2 -->
  49.     <appender name="Ext2" class="org.apache.log4j.DailyRollingFileAppender">
  50.         <param name="File" value="D:/temp/ext2" />
  51.         <layout class="org.apache.log4j.PatternLayout">
  52.             <param name="ConversionPattern"
  53.                 value="%-d{yyyy-MM-dd HH:mm:ss.SSS}  [ %t:%r ] - [ %p ]  %m%n" />
  54.         </layout>
  55.         <filter class="com.iflytek.ossp.framework.common.log.ExtendedFilter">
  56.             <param name="LevelMin" value="BIZLOG2" />
  57.             <param name="LevelMax" value="BIZLOG2" />
  58.         </filter>
  59.     </appender>
  61.     <root>
  62.         <level value="DEBUG" />
  63.         <appender-ref ref="D" />
  64.         <appender-ref ref="E" />
  65.         <appender-ref ref="Ext" />
  66.         <appender-ref ref="Ext2" />
  67.     </root>
  68. </log4j:configuration>

logback配置文件示例:

  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <configuration>
  4.     <!-- 控制台输出 -->
  5.     <appender name="stdout" class="ch.qos.logback.core.ConsoleAppender">
  6.         <encoder>
  7.             <pattern>%date [%thread] %-5level %logger{80} - %msg%n</pattern>
  8.         </encoder>
  9.     </appender>
  11.     <!-- 时间滚动输出 level为 DEBUG 日志 -->
  12.     <appender name="D"
  13.         class="ch.qos.logback.core.rolling.RollingFileAppender">
  14.         <filter class="ch.qos.logback.classic.filter.LevelFilter">
  15.             <level>DEBUG</level>
  16.             <onMatch>ACCEPT</onMatch>
  17.             <onMismatch>DENY </onMismatch>
  18.         </filter>
  19.         <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
  20.             <FileNamePattern>D:/temp/debug.%d{yyyy-MM-dd}.log</FileNamePattern>
  21.             <MaxHistory>30</MaxHistory>
  22.         </rollingPolicy>
  23.         <encoder>
  24.             <pattern>%msg%n</pattern>
  25.         </encoder>
  26.     </appender>
  28.     <!-- 时间滚动输出 level为 ERROR 日志 -->
  29.     <appender name="E"
  30.         class="ch.qos.logback.core.rolling.RollingFileAppender">
  31.         <filter class="ch.qos.logback.classic.filter.LevelFilter">
  32.             <level>ERROR</level>
  33.             <onMatch>ACCEPT</onMatch>
  34.             <onMismatch>DENY </onMismatch>
  35.         </filter>
  36.         <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
  37.             <FileNamePattern>D:/temp/error.%d{yyyy-MM-dd}.log</FileNamePattern>
  38.             <MaxHistory>30</MaxHistory>
  39.         </rollingPolicy>
  40.         <encoder>
  41.             <pattern>%date [%thread] %-5level %logger{80} - %msg%n</pattern>
  42.         </encoder>
  43.     </appender>
  45.     <appender name="BIZLOG"
  46.         class="ch.qos.logback.core.rolling.RollingFileAppender">
  47.         <filter class="ch.qos.logback.classic.filter.LevelFilter">
  48.             <level>INFO</level>
  49.             <onMatch>ACCEPT</onMatch>
  50.             <onMismatch>DENY </onMismatch>
  51.         </filter>
  52.         <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
  53.             <!-- 一分钟产生一个文件 -->
  54.             <FileNamePattern>D:/temp/biz-%d{yyyyMMddHHmm}.log</FileNamePattern>
  55.             <MaxHistory>-1</MaxHistory>
  56.         </rollingPolicy>
  57.         <encoder>
  58.             <pattern>%msg%n</pattern>
  59.         </encoder>
  60.     </appender>
  62.     <!-- 使用异步appender -->
  63.     <appender name="ASYNC_BIZLOG" class="ch.qos.logback.classic.AsyncAppender">
  64.         <queueSize>500</queueSize>
  65.         <discardingThreshold>0</discardingThreshold>
  66.         <appender-ref ref="BIZLOG" />
  67.     </appender>
  69.     <!-- 用来单独记录业务日志 -->
  70.     <logger level="INFO" name="bizlog">
  71.         <appender-ref ref="ASYNC_BIZLOG" />
  72.     </logger>
  74.     <root level="DEBUG">
  75.         <appender-ref ref="D" />
  76.         <appender-ref ref="E" />
  77.     </root>
  78. </configuration>

Fastjson API 功能改进

@JSONField注解增加implict,使用 @JSONField(name = "bitem", implicit = true)代替XStream的 @XStreamImplicit(itemFieldName = "bitem"),目前仅支持对List 使用implicit的。 

  1. @JSONField(name = "key", implicit = true)
  2. @XStreamImplicit(itemFieldName = "key")
  3. public List<String> lists;

@JSONType注解增加name,支持类似XStream对类进行别名处理的功能

  1. @XStreamAlias("abc")
  2. @JSONType(name = "abc")
  3. public static class A {

详细的示例代码

  1. package com.iflytek.ossp.framework.example.common.serializable;
  3. import java.util.ArrayList;
  4. import java.util.List;
  6. import com.alibaba.fastjson.annotation.JSONField;
  7. import com.alibaba.fastjson.annotation.JSONType;
  8. import com.alibaba.fastjson.serializer.SerializerFeature;
  9. import com.iflytek.ossp.framework.common.serializable.JSONRoot;
  10. import com.iflytek.ossp.framework.common.serializable.SerializationInstance;
  11. import com.iflytek.ossp.framework.common.serializable.SerializationTools;
  12. import com.iflytek.ossp.framework.common.text.NormalizationUtils;
  13. import com.thoughtworks.xstream.annotations.XStreamAlias;
  14. import com.thoughtworks.xstream.annotations.XStreamImplicit;
  15. import com.thoughtworks.xstream.annotations.XStreamOmitField;
  17. /**
  18.  * Fastjson API使用示例。
  19.  * <p>
  20.  * {@link SerializationTools#fastFromJson(Class, String)}<br />
  21.  * {@link SerializationTools#fastToJson(Object)}<br />
  22.  * 官方版本fastjson不支持类似XStream <code>@XStreamImplicit</code>的特性,fork了官方1.1.41版本:<a
  23.  * href="https://github.com/zhanjindong/fastjson-1.1.41"
  24.  * >https://github.com/zhanjindong/fastjson-1.1.41</a><br />
  25.  * <code>@JSONField</code>注解增加implict,使用
  26.  * <code>@JSONField(name = "bitem", implicit = true)</code>代替XStream的
  27.  * <code>@XStreamImplicit(itemFieldName = "bitem")</code>,目前仅支持对{@link List}
  28.  * 使用implicit的。
  29.  * 
  30.  * @author jdzhan,2014-8-21
  31.  * 
  32.  */
  33. public class FastjsonExample {
  35.     static SerializationInstance tools = SerializationInstance.sharedInstance();
  37.     public static void main(String[] args) throws IllegalStateException, Exception {
  38.         // annotationBenchmark();
  39.         fastJsonExample();
  40.     }
  42.     public static void fastJsonExample() throws SecurityException, IllegalArgumentException, NoSuchFieldException,
  43.             IllegalAccessException {
  44.         A a = new A();
  45.         a.setStr1("str1");
  46.         a.setStr2("str2");
  48.         List<String> list = new ArrayList<String>();
  49.         list.add("item1");
  50.         list.add("item1");
  51.         a.setLists(list);
  53.         List<B> barr = new ArrayList<FastjsonExample.B>();
  54.         for (int i = 0; i < 2; i++) {
  55.             B b = new B();
  56.             b.setBstr1("b str1");
  57.             b.setBstr2("b str2");
  58.             barr.add(b);
  59.         }
  60.         a.setBarr(barr);
  62.         // fastjson
  63.         String json = tools.fastToJson(a, true);
  64.         System.out.println("fastjson result:\r\n" + json);
  66.         A newA = tools.fastFromJson(A.class, json);
  67.         System.out.println(newA);
  69.         // xstream
  70.         String xjson = tools.toJson(a);
  71.         System.out.println("xstream result:" + NormalizationUtils.normalizeJson(json));
  72.     }
  74.     @XStreamAlias("abc")
  75.     @JSONType(name = "abc")
  76.     public static class A {
  78.         /** 忽略 */
  79.         @JSONField(serialize = false)
  80.         // fastjson
  81.         @XStreamOmitField
  82.         // xstream
  83.         public String str1 = "str1";
  85.         /** 指定别名 */
  86.         @JSONField(name = "name")
  87.         // xtream
  88.         @XStreamAlias("name")
  89.         // fastjson
  90.         public String str2;
  92.         /** 未指定默认为0 */
  93.         @JSONField(serialzeFeatures = { SerializerFeature.WriteNullNumberAsZero })
  94.         // fastjson
  95.         public int ivalue;
  97.         /** 未指定默认为空字符串 */
  98.         @JSONField(serialzeFeatures = { SerializerFeature.WriteNullStringAsEmpty })
  99.         // fastjson
  100.         public String str3;
  102.         @JSONField(name = "key", implicit = true)
  103.         @XStreamImplicit(itemFieldName = "key")
  104.         public List<String> lists;
  106.         @JSONField(name = "bitem", implicit = true)
  107.         @XStreamAlias("bitems")
  108.         @XStreamImplicit(itemFieldName = "bitem")
  109.         public List<B> barr;
  111.         public String getStr1() {
  112.             return str1;
  113.         }
  115.         public void setStr1(String str1) {
  116.             this.str1 = str1;
  117.         }
  119.         public String getStr2() {
  120.             return str2;
  121.         }
  123.         public void setStr2(String str2) {
  124.             this.str2 = str2;
  125.         }
  127.         public int getIvalue() {
  128.             return ivalue;
  129.         }
  131.         public void setIvalue(int ivalue) {
  132.             this.ivalue = ivalue;
  133.         }
  135.         public String getStr3() {
  136.             return str3;
  137.         }
  139.         public void setStr3(String str3) {
  140.             this.str3 = str3;
  141.         }
  143.         public List<String> getLists() {
  144.             return lists;
  145.         }
  147.         public void setLists(List<String> lists) {
  148.             this.lists = lists;
  149.         }
  151.         public List<B> getBarr() {
  152.             return barr;
  153.         }
  155.         public void setBarr(List<B> barr) {
  156.             this.barr = barr;
  157.         }
  159.         @Override
  160.         public String toString() {
  161.             return "str1:" + str1 + ",str2:" + str2 + ",str3:" + str3 + ",ivalue" + ivalue + ",lists:" + lists
  162.                     + "B list:" + barr;
  163.         }
  165.     }
  167.     public static class B {
  168.         private String bstr1;
  169.         private String bstr2;
  171.         public String getBstr1() {
  172.             return bstr1;
  173.         }
  175.         public void setBstr1(String bstr1) {
  176.             this.bstr1 = bstr1;
  177.         }
  179.         public String getBstr2() {
  180.             return bstr2;
  181.         }
  183.         public void setBstr2(String bstr2) {
  184.             this.bstr2 = bstr2;
  185.         }
  187.         @Override
  188.         public String toString() {
  189.             return "bstr1:" + bstr1 + ",bstr2:" + bstr2;
  190.         }
  191.     }
  192. }

已知问题

1.xstream 反序列化数组的问题:

  1. 1)
  2. {
  3.   "item": "str0",
  4.   "item": "str1",
  5.   "item": "str2"
  6. }
  7. =>
  8. Test [list=[str2]]
  10. 2)
  11. {
  12.   "list": [
  13.     "str0",
  14.     "str1",
  15.     "str2"
  16.   ]
  17. }
  18. =>
  19. 抛出异常:com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter$DuplicateFieldException: Duplicate field list

2.simple-xml问题:

3.Fastjson
- 使用PrettyFormat特性时候,不支持ASM;
- 要使用JSONType的name和JSONField的implict特性,必须禁用asm;
- 子类无法“继承”父类字段的注解。

4.log4j和logback "jar hell"问题。

添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注