How Spring Boot prevents malicious interface refreshes and brute force requests-javaTutorial-php.cn

Home

Java

javaTutorial

How Spring Boot prevents malicious interface refreshes and brute force requests

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

May 12, 2023 pm 10:19 PM

springboot

First create a custom interceptor class, which is also the core code;

/**
 * @package: com.technicalinterest.group.interceptor
 * @className: IpUrlLimitInterceptor
 * @description: ip+url重复请求现在拦截器
 * @author: Shuyu.Wang
 * @date: 2019-10-12 12:34
 * @since: 0.1
 **/
@Slf4j
public class IpUrlLimitInterceptor implements HandlerInterceptor {
 
 
    private RedisUtil getRedisUtil() {
        return  SpringContextUtil.getBean(RedisUtil.class);
    }
 
    private static final String LOCK_IP_URL_KEY="lock_ip_";
 
    private static final String IP_URL_REQ_TIME="ip_url_times_";
 
    private static final long LIMIT_TIMES=5;
 
    private static final int IP_LOCK_TIME=60;
 
    @Override
    public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) throws Exception {
        log.info("request请求地址uri={},ip={}", httpServletRequest.getRequestURI(), IpAdrressUtil.getIpAdrress(httpServletRequest));
        if (ipIsLock(IpAdrressUtil.getIpAdrress(httpServletRequest))){
            log.info("ip访问被禁止={}",IpAdrressUtil.getIpAdrress(httpServletRequest));
            ApiResult result = new ApiResult(ResultEnum.LOCK_IP);
            returnJson(httpServletResponse, JSON.toJSONString(result));
            return false;
        }
        if(!addRequestTime(IpAdrressUtil.getIpAdrress(httpServletRequest),httpServletRequest.getRequestURI())){
            ApiResult result = new ApiResult(ResultEnum.LOCK_IP);
            returnJson(httpServletResponse, JSON.toJSONString(result));
            return false;
        }
        return true;
    }
 
    @Override
    public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception {
 
    }
 
    @Override
    public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception {
 
    }
 
    /**
     * @Description: 判断ip是否被禁用
     * @author: shuyu.wang
     * @date: 2019-10-12 13:08
     * @param ip
     * @return java.lang.Boolean
     */
    private Boolean ipIsLock(String ip){
        RedisUtil redisUtil=getRedisUtil();
        if(redisUtil.hasKey(LOCK_IP_URL_KEY+ip)){
            return true;
        }
        return false;
    }
    /**
     * @Description: 记录请求次数
     * @author: shuyu.wang
     * @date: 2019-10-12 17:18
     * @param ip
     * @param uri
     * @return java.lang.Boolean
     */
    private Boolean addRequestTime(String ip,String uri){
        String key=IP_URL_REQ_TIME+ip+uri;
        RedisUtil redisUtil=getRedisUtil();
        if (redisUtil.hasKey(key)){
            long time=redisUtil.incr(key,(long)1);
            if (time>=LIMIT_TIMES){
                redisUtil.getLock(LOCK_IP_URL_KEY+ip,ip,IP_LOCK_TIME);
                return false;
            }
        }else {
            redisUtil.getLock(key,(long)1,1);
        }
        return true;
    }
 
    private void returnJson(HttpServletResponse response, String json) throws Exception {
        PrintWriter writer = null;
        response.setCharacterEncoding("UTF-8");
        response.setContentType("text/json; charset=utf-8");
        try {
            writer = response.getWriter();
            writer.print(json);
        } catch (IOException e) {
            log.error("LoginInterceptor response error ---> {}", e.getMessage(), e);
        } finally {
            if (writer != null) {
                writer.close();
            }
        }
    }
 
 
}

The code uses redis in the form of distributed locks, which can ensure thread safety and functional realization to the greatest extent Effect. What is set in the code is that if the same interface is accessed through the same IP 5 times within 1S, the IP will be disabled for 1 hour. You can modify it appropriately according to your project needs to achieve the functions you want;

redis Key code of distributed lock:

/**
 * @package: com.shuyu.blog.util
 * @className: RedisUtil
 * @description:
 * @author: Shuyu.Wang
 * @date: 2019-07-14 14:42
 * @since: 0.1
 **/
@Component
@Slf4j
public class RedisUtil {
 
    private static final Long SUCCESS = 1L;
 
    @Autowired
    private RedisTemplate<String, Object> redisTemplate;
    // =============================common============================
 
    
 
    /**
     * 获取锁
     * @param lockKey
     * @param value
     * @param expireTime：单位-秒
     * @return
     */
    public boolean getLock(String lockKey, Object value, int expireTime) {
        try {
            log.info("添加分布式锁key={},expireTime={}",lockKey,expireTime);
            String script = "if redis.call(&#39;setNx&#39;,KEYS[1],ARGV[1]) then if redis.call(&#39;get&#39;,KEYS[1])==ARGV[1] then return redis.call(&#39;expire&#39;,KEYS[1],ARGV[2]) else return 0 end end";
            RedisScript<String> redisScript = new DefaultRedisScript<>(script, String.class);
            Object result = redisTemplate.execute(redisScript, Collections.singletonList(lockKey), value, expireTime);
            if (SUCCESS.equals(result)) {
                return true;
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
        return false;
    }
 
    /**
     * 释放锁
     * @param lockKey
     * @param value
     * @return
     */
    public boolean releaseLock(String lockKey, String value) {
        String script = "if redis.call(&#39;get&#39;, KEYS[1]) == ARGV[1] then return redis.call(&#39;del&#39;, KEYS[1]) else return 0 end";
        RedisScript<String> redisScript = new DefaultRedisScript<>(script, String.class);
        Object result = redisTemplate.execute(redisScript, Collections.singletonList(lockKey), value);
        if (SUCCESS.equals(result)) {
            return true;
        }
        return false;
    }
 
}

Finally, add the custom interceptor above through registry.addInterceptor and it will take effect;

@Configuration
@Slf4j
public class MyWebAppConfig extends WebMvcConfigurerAdapter {
    @Bean
    IpUrlLimitInterceptor getIpUrlLimitInterceptor(){
        return new IpUrlLimitInterceptor();
    }
 
 @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(getIpUrlLimitInterceptor()).addPathPatterns("/**");
        super.addInterceptors(registry);
    }
}

The above is the detailed content of How Spring Boot prevents malicious interface refreshes and brute force requests. For more information, please follow other related articles on the PHP Chinese website!

Statement

This article is reproduced at:亿速云. If there is any infringement, please contact admin@php.cn delete

怎么使用SpringBoot+Canal实现数据库实时监控May 10, 2023 pm 06:25 PM

Canal工作原理Canal模拟MySQLslave的交互协议，伪装自己为MySQLslave，向MySQLmaster发送dump协议MySQLmaster收到dump请求，开始推送binarylog给slave（也就是Canal）Canal解析binarylog对象（原始为byte流）MySQL打开binlog模式在MySQL配置文件my.cnf设置如下信息：[mysqld]#打开binloglog-bin=mysql-bin#选择ROW(行)模式binlog-format=ROW#配置My

Spring Boot怎么使用SSE方式向前端推送数据May 10, 2023 pm 05:31 PM

前言SSE简单的来说就是服务器主动向前端推送数据的一种技术，它是单向的，也就是说前端是不能向服务器发送数据的。SSE适用于消息推送，监控等只需要服务器推送数据的场景中，下面是使用SpringBoot来实现一个简单的模拟向前端推动进度数据，前端页面接受后展示进度条。服务端在SpringBoot中使用时需要注意，最好使用SpringWeb提供的SseEmitter这个类来进行操作，我在刚开始时使用网上说的将Content-Type设置为text-stream这种方式发现每次前端每次都会重新创建接。最

SpringBoot怎么实现二维码扫码登录May 10, 2023 pm 08:25 PM

一、手机扫二维码登录的原理二维码扫码登录是一种基于OAuth3.0协议的授权登录方式。在这种方式下，应用程序不需要获取用户的用户名和密码，只需要获取用户的授权即可。二维码扫码登录主要有以下几个步骤：应用程序生成一个二维码，并将该二维码展示给用户。用户使用扫码工具扫描该二维码，并在授权页面中授权。用户授权后，应用程序会获取一个授权码。应用程序使用该授权码向授权服务器请求访问令牌。授权服务器返回一个访问令牌给应用程序。应用程序使用该访问令牌访问资源服务器。通过以上步骤，二维码扫码登录可以实现用户的快

SpringBoot/Spring AOP默认动态代理方式是什么May 10, 2023 pm 03:52 PM

1.springboot2.x及以上版本在SpringBoot2.xAOP中会默认使用Cglib来实现，但是Spring5中默认还是使用jdk动态代理。SpringAOP默认使用JDK动态代理，如果对象没有实现接口，则使用CGLIB代理。当然，也可以强制使用CGLIB代理。在SpringBoot中，通过AopAutoConfiguration来自动装配AOP.2.Springboot1.xSpringboot1.xAOP默认还是使用JDK动态代理的3.SpringBoot2.x为何默认使用Cgl

spring boot怎么对敏感信息进行加解密May 10, 2023 pm 02:46 PM

我们使用jasypt最新版本对敏感信息进行加解密。1.在项目pom文件中加入如下依赖：com.github.ulisesbocchiojasypt-spring-boot-starter3.0.32.创建加解密公用类：packagecom.myproject.common.utils;importorg.jasypt.encryption.pbe.PooledPBEStringEncryptor;importorg.jasypt.encryption.pbe.config.SimpleStrin

使用Java SpringBoot集成POI实现Word文档导出Apr 21, 2023 pm 12:19 PM

知识准备需要理解ApachePOI遵循的标准（OfficeOpenXML（OOXML）标准和微软的OLE2复合文档格式（OLE2）），这将对应着API的依赖包。什么是POIApachePOI是用Java编写的免费开源的跨平台的JavaAPI，ApachePOI提供API给Java程序对MicrosoftOffice格式档案读和写的功能。POI为“PoorObfuscationImplementation”的首字母缩写，意为“简洁版的模糊实现”。ApachePOI是创建和维护操作各种符合Offic

springboot怎么整合shiro实现多验证登录功能May 10, 2023 pm 04:19 PM

1.首先新建一个shiroConfigshiro的配置类，代码如下：@ConfigurationpublicclassSpringShiroConfig{/***@paramrealms这儿使用接口集合是为了实现多验证登录时使用的*@return*/@BeanpublicSecurityManagersecurityManager(Collectionrealms){DefaultWebSecurityManagersManager=newDefaultWebSecurityManager();

SpringBoot项目打包发布到外部tomcat遇到的问题怎么解决May 10, 2023 pm 05:49 PM

先说遇到问题的情景：初次尝试使用springboot框架写了个小web项目，在IntellijIDEA中能正常启动运行。使用maven运行install，生成war包，发布到本机的tomcat下，出现异常，主要的异常信息是.......LifeCycleException。经各种搜索，找到答案。springboot因为内嵌tomcat容器，所以可以通过打包为jar包的方法将项目发布，但是如何将springboot项目打包成可发布到tomcat中的war包项目呢？1.既然需要打包成war包项目，首

See all articles