Spring Security 和 Tomcat 安全实践

 

一、注册密码复杂度
通过js判断,找到一简单好用代码以供参考:
function   CheckPassword(password)
{
          var   strength =   new   Array();
       strength[0] =   "Blank" ;
       strength[1] =   "Very Weak" ;
       strength[2] =   "Weak" ;
       strength[3] =   "Medium" ;
       strength[4] =   "Strong" ;
       strength[5] =   "Very Strong" ;

          var   score = 1;

          if   (password.length   <   1)
                 return   0;
                 //return strength[0];

          if   (password.length   <   4)
                 return   1;
                 //return strength[1];

          if   (password.length >= 8)
              score++;
          if (password.length >= 10)
              score++;
          if   (password.match(/\d+/))
              score++;
          if   (password.match(/[a -   z]/) &&
              password.matc   h(/[A - Z]/))
              score+   +;
          if   (password.match(/.[!,@,#,$,%,^,&,*,?,_,~, - ,£,(,)]/))
              score++;

          return strength[score];
}

二、失败登录处理
自定义FORM_LOGIN_FILTER,重载UsernamePasswordAuthenticationFilter的attemptAuthentication方法,判断用户登录失败信息,进行用户锁定等。
https通讯
配置 <intercept-url>标签的requires-channel属性,例如:
<http>
    <intercept-url pattern="/secure/**" access="ROLE_USER" requires-channel="https/>
    <intercept-url pattern="/**" access="ROLE_USER" requires-channel="any"/>
  </http>

三、密码MD5密文保存
配置如下:
<!-- 密码编码 -->
      < b:bean   id = "passwordEncoder"   class = "org.springframework.security.authentication.encoding.Md5PasswordEncoder"   ></ b:bean >
   
      <!-- 认证管理 -->
      < authentication-manager   alias = "am" >
          < authentication-provider >
             <!-- <password-encoder hash="md5"/>  -->
             < password-encoder   ref =   "passwordEncoder"   >
                    < salt-source   user-property = "username"   />
                   </ password-encoder >
          
             < jdbc-user-service   data-source-ref = "dataSource"   />
          </ authentication-provider >
      </ authentication-manager   >

四、会话超时
在web.xml配置:
<!-- 设置session 超时时间为20分钟  -->
          < session-config >
           < session-timeout >   20 </   session-timeout >
          </ session-config >

五、并发会话控制
配置如下:
< b:bean   id =   "sas"   class   =
          "org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"   >
           < b:constructor-arg   name =   "sessionRegistry"   ref   = "sessionRegistry"   />
           < b:property   name =   "maximumSessions"   value   = "1"   />
           < b:property   name =   "exceptionIfMaximumExceeded"   value = "true" ></   b:property >
           < b:property   name =   "alwaysCreateSession"   value   = "true" ></   b:property >
          </ b:bean >
最大会话数1,超出报错,总是创建新会话

六、跨站脚步攻击
编写过滤程序,对参数和header进行字符过滤。配置如下:
      <!-- Avoiding XSS -->
    < filter   >
      < filter-name   > XssFilter   </ filter-name >
      < filter-class   > sp.common.XssFilter   </ filter-class >
    </ filter   >   
    < filter-mapping   >
      < filter-name   > XssFilter   </ filter-name >
      < url-pattern   > /*   </ url-pattern >                 
    </ filter-mapping   >

七、禁用WebDav等不安全Http方法
修改web.xml
< web-resource-collection >
               < url-pattern >   /* </   url-pattern >
               < http-method >   PUT </   http-method >
               < http-method >   DELETE </   http-method >
               < http-method >   HEAD </   http-method >
               < http-method >   OPTIONS </   http-method >
               < http-method >   TRACE </   http-method >
           </ web-resource-collection >

你可能感兴趣的:(spring,tomcat,Security,安全)