Spring Security 和 Tomcat 安全实践?一、注册密码复杂度通过js判断,找到一简单好用代码以供参考:function?
Spring Security 和 Tomcat 安全实践
?
一、注册密码复杂度通过js判断,找到一简单好用代码以供参考:
function?CheckPassword(password){????????
var?strength =?
new?Array();???????strength[0] =?"Blank";???????strength[1] =?"Very Weak";???????strength[2] =?"Weak";???????strength[3] =?"Medium";???????strength[4] =?"Strong";???????strength[5] =?"Very Strong";
????????
var?score = 1;
????????
if?(password.length?<?1)???????????????
return?0;???????????????//return strength[0];
????????
if?(password.length?<?4)???????????????
return?1;???????????????//return strength[1];
????????
if?(password.length >= 8)??????????????score++;????????if (password.length >= 10)??????????????score++;????????
if?(password.match(/\d+/))??????????????score++;????????
if?(password.match(/[a-?z]/) &&??????????????password.matc?h(/[A-Z]/))??????????????score+?+;????????
if?(password.match(/.[!,@,#,$,%,^,&,*,?,_,~,-,£,(,)]/))??????????????score++;
????????return strength[score];}
二、失败登录处理自定义FORM_LOGIN_FILTER,重载UsernamePasswordAuthenticationFilter的attemptAuthentication方法,判断用户登录失败信息,进行用户锁定等。https通讯配置 <intercept-url>标签的requires-channel属性,例如:
<http> <intercept-url pattern="/secure/**" access="ROLE_USER" requires-channel="https/> <intercept-url pattern="/**" access="ROLE_USER" requires-channel="any"/> </http>
三、密码MD5密文保存配置如下:<!-- 密码编码 -->????<b:bean?id=
"passwordEncoder"?class=
"org.springframework.security.authentication.encoding.Md5PasswordEncoder"?></b:bean>???????<!-- 认证管理 -->????<authentication-manager?alias=
"am">????????<authentication-provider>???????????<!-- <password-encoder hash="md5"/>? -->???????????<password-encoder?ref=?
"passwordEncoder"?>??????????????????<salt-source?user-property=
"username"?/>?????????????????</password-encoder>?????????????????????<jdbc-user-service?data-source-ref=
"dataSource"?/>????????</authentication-provider>????</authentication-manager?>
四、会话超时在web.xml配置:<!-- 设置session 超时时间为20分钟? -->????????<session-config>?????????<session-timeout>?20</?session-timeout>????????</session-config>
五、并发会话控制配置如下:<b:bean?id=?
"sas"?class?=????????
"org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"?>?????????<b:constructor-arg?name=?
"sessionRegistry"?ref?=
"sessionRegistry"?/>?????????<b:property?name=?
"maximumSessions"?value?=
"1"?/>?????????<b:property?name=?
"exceptionIfMaximumExceeded"?value=
"true"></?b:property>?????????<b:property?name=?
"alwaysCreateSession"?value?=
"true"></?b:property>????????</b:bean>最大会话数1,超出报错,总是创建新会话
六、跨站脚步攻击编写过滤程序,对参数和header进行字符过滤。配置如下:????<!-- Avoiding XSS -->??<filter?>????<filter-name?>XssFilter?</filter-name>????<filter-class?>sp.common.XssFilter?</filter-class>??</filter?>????<filter-mapping?>????<filter-name?>XssFilter?</filter-name>????<url-pattern?>/*?</url-pattern>?????????????????</filter-mapping?>
七、禁用WebDav等不安全Http方法修改web.xml<web-resource-collection>?????????????<url-pattern>?/*</?url-pattern>?????????????<http-method>?PUT</?http-method>?????????????<http-method>?DELETE</?http-method>?????????????<http-method>?HEAD</?http-method>?????????????<http-method>?OPTIONS</?http-method>?????????????<http-method>?TRACE</?http-method>?????????</web-resource-collection>
