Authored by mali

压测后门

... ... @@ -110,6 +110,14 @@ public class SecurityInterceptor implements HandlerInterceptor, ApplicationEvent
String businessLine = params.get("business_line");
//==============以下是完全不校验的场景=========================
//1 后门, 不需要校验, (1)检查请求参数是否有预留的后门参数_sncp, 并且_sncp的值是有效的. 放行 _sncp的值再5.6版本会去掉
String temporaryValueQeq = params.get("_sncp"); //请求的预留后门的值
String temporaryValue = configReader.getString("gateway.client.secret.h5", "");
if (!StringUtils.isEmpty(temporaryValueQeq) && !StringUtils.isEmpty(temporaryValue) && temporaryValueQeq.trim().equals(temporaryValue.trim()) && isInnerIp(httpServletRequest)){
return ;
}
//2 是否校验全部接口,开关-true:校验全部接口(除去@IgnoreSession注解接口) 开关-false:只校验核心接口
boolean isVerifyAllMethod = configReader.getBoolean("gateway.session.isVerifyAllMethod", true);
if(!isVerifyAllMethod){
... ... @@ -479,4 +487,48 @@ public class SecurityInterceptor implements HandlerInterceptor, ApplicationEvent
return false;
}
}
/**
* 是否内网ip
* @param request
* @return
*/
public boolean isInnerIp(HttpServletRequest request){
//增加内网ip验证开关,供压测时使用
boolean isInnerIpVerifyEnable = configReader.getBoolean("gateway.security.isInnerIpVerifyEnable", true);
if(!isInnerIpVerifyEnable){
return true;
}
String ip = getRemoteIP(request);
String[] ipArr = ip.split(",");
InetAddress inetAddress = null;
try {
inetAddress = InetAddress.getByName( ipArr[ ipArr.length - 1 ].trim() );
} catch (UnknownHostException e) {
logger.warn("isInnerIp error is {}", e);
}
if ( inetAddress.isSiteLocalAddress() ) {
// 是内网IP
return true;
} else {
// 不是内网接口
logger.info( "handler inner api interceptor, {} can not run inner api.", ip );
return false;
}
}
/**
* 获取用户IP
*
* @param httpServletRequest 1) x-forwarded-for 2).getRemoteAddr()
* @return 用户IP
*/
private String getRemoteIP(final HttpServletRequest httpServletRequest) {
String ip = httpServletRequest.getHeader("X-Forwarded-For");
if (StringUtils.isEmpty(ip)) {
ip = httpServletRequest.getRemoteAddr();
}
return ip;
}
}
... ...
... ... @@ -75,6 +75,14 @@ public class SignatureVerifyInterceptor implements HandlerInterceptor, Applicati
return true;
}
//(4) 预留后门, 如果是内网并且传入_sncp参数, 并且验证成功, 不验证.
String temporaryValueQeq = params.get("_sncp"); //请求的预留后门的值
String temporaryValue = configReader.getString("gateway.client.secret.h5", "");
logger.debug("SignatureVerifyInterceptor. method is {}, temporaryValueQeq is {}, temporaryValue is {} and isInner is {}", method, temporaryValueQeq, temporaryValue);
if (!StringUtils.isEmpty(temporaryValueQeq) && !StringUtils.isEmpty(temporaryValue) && temporaryValueQeq.trim().equals(temporaryValue.trim()) && isInnerIp(httpServletRequest)){
return true;
}
//(4) 验证消息签名.
String message = this.getPramsString(params);
String verifyMessage = httpServletRequest.getHeader(HTTP_HEADER_VERIFY_DATA);
... ... @@ -188,6 +196,11 @@ public class SignatureVerifyInterceptor implements HandlerInterceptor, Applicati
* @return
*/
public boolean isInnerIp(HttpServletRequest request){
//增加内网ip验证开关,供压测时使用
boolean isInnerIpVerifyEnable = configReader.getBoolean("gateway.security.isInnerIpVerifyEnable", true);
if(!isInnerIpVerifyEnable){
return true;
}
String ip = getRemoteIP( request );
String[] ipArr = ip.split( "," );
InetAddress inetAddress = null;
... ...