Spring Security 和 Tomcat 安全实践

一、注册密码复杂度

通过js判断，找到一简单好用代码以供参考：

function   CheckPassword(password)

{

          var   strength =   new   Array();

       strength[0] =   "Blank" ;

       strength[1] =   "Very Weak" ;

       strength[2] =   "Weak" ;

       strength[3] =   "Medium" ;

       strength[4] =   "Strong" ;

       strength[5] =   "Very Strong" ;

          var   score = 1;

          if   (password.length   <   1)

                 return   0;

                 //return strength[0];

          if   (password.length   <   4)

                 return   1;

                 //return strength[1];

          if   (password.length >= 8)

              score++;

          if (password.length >= 10)

              score++;

          if   (password.match(/\d+/))

              score++;

          if   (password.match(/[a -   z]/) &&

              password.matc   h(/[A - Z]/))

              score+   +;

          if   (password.match(/.[!,@,#,$,%,^,&,*,?,_,~, - ,£,(,)]/))

              score++;

          return strength[score];

}

二、失败登录处理

自定义FORM_LOGIN_FILTER，重载UsernamePasswordAuthenticationFilter的attemptAuthentication方法，判断用户登录失败信息，进行用户锁定等。

https通讯

配置 <intercept-url>标签的requires-channel属性，例如：

<http>
    <intercept-url pattern="/secure/**" access="ROLE_USER" requires-channel="https/>
    <intercept-url pattern="/**" access="ROLE_USER" requires-channel="any"/>
  </http>

三、密码MD5密文保存

配置如下：

<!-- 密码编码 -->

      < b:bean   id = "passwordEncoder"   class = "org.springframework.security.authentication.encoding.Md5PasswordEncoder"   ></ b:bean >

   

      <!-- 认证管理 -->

      < authentication-manager   alias = "am" >

          < authentication-provider >

             <!-- <password-encoder hash="md5"/>  -->

             < password-encoder   ref =   "passwordEncoder"   >

                    < salt-source   user-property = "username"   />

                   </ password-encoder >

          

             < jdbc-user-service   data-source-ref = "dataSource"   />

          </ authentication-provider >

      </ authentication-manager   >

四、会话超时

在web.xml配置：

<!-- 设置session 超时时间为20分钟  -->

          < session-config >

           < session-timeout >   20 </   session-timeout >

          </ session-config >

五、并发会话控制

配置如下：

< b:bean   id =   "sas"   class   =

          "org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"   >

           < b:constructor-arg   name =   "sessionRegistry"   ref   = "sessionRegistry"   />

           < b:property   name =   "maximumSessions"   value   = "1"   />

           < b:property   name =   "exceptionIfMaximumExceeded"   value = "true" ></   b:property >

           < b:property   name =   "alwaysCreateSession"   value   = "true" ></   b:property >

          </ b:bean >

最大会话数1，超出报错，总是创建新会话

六、跨站脚步攻击

编写过滤程序，对参数和header进行字符过滤。配置如下：

      <!-- Avoiding XSS -->

    < filter   >

      < filter-name   > XssFilter   </ filter-name >

      < filter-class   > sp.common.XssFilter   </ filter-class >

    </ filter   >   

    < filter-mapping   >

      < filter-name   > XssFilter   </ filter-name >

      < url-pattern   > /*   </ url-pattern >                 

    </ filter-mapping   >

七、禁用WebDav等不安全Http方法

修改web.xml

< web-resource-collection >

               < url-pattern >   /* </   url-pattern >

               < http-method >   PUT </   http-method >

               < http-method >   DELETE </   http-method >

               < http-method >   HEAD </   http-method >

               < http-method >   OPTIONS </   http-method >

               < http-method >   TRACE </   http-method >

           </ web-resource-collection >