Java安全编程最佳实践引言在当今数字化时代应用程序安全性已成为软件开发中不可忽视的重要方面。数据泄露、注入攻击、认证绕过等安全漏洞可能导致严重的业务损失和声誉损害。Java作为企业级应用的主流开发语言提供了丰富的安全特性但正确使用这些特性需要开发者深入理解安全编程原则。本文将全面介绍Java安全编程的核心概念、常见漏洞的防护方法、安全配置最佳实践以及安全测试策略帮助开发者构建更加安全的应用程序。一、OWASP Top 10与防护策略1.1 注入攻击防护SQL注入是最常见的注入攻击类型攻击者通过在用户输入中注入恶意SQL代码来操纵数据库查询。// 危险的SQL拼接方式 RestController public class UnsafeUserController { Autowired private JdbcTemplate jdbcTemplate; // 永远不要这样做 GetMapping(/users/search) public ListUser searchUsers(RequestParam String name) { String sql SELECT * FROM users WHERE name name ; return jdbcTemplate.queryForList(sql); } // 安全的参数化查询 GetMapping(/users/safe-search) public ListUser safeSearchUsers(RequestParam String name) { String sql SELECT * FROM users WHERE name ?; return jdbcTemplate.queryForList(sql, name); } } // JPA方式 - 天然防护SQL注入 Repository public interface UserRepository extends JpaRepositoryUser, Long { ListUser findByName(String name); Query(SELECT u FROM User u WHERE u.name :name) ListUser searchByName(Param(name) String name); }1.2 XSS防护跨站脚本攻击XSS允许攻击者在用户浏览器中执行恶意脚本。Configuration public class SecurityConfig { Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http .csrf(csrf - csrf .ignoringRequestMatchers(/api/**) // API端点禁用CSRF ) .headers(headers - headers .contentSecurityPolicy(csp - csp .policyDirectives(script-src self; style-src self unsafe-inline) ) .xssProtection(xss - xss .and() .contentTypeOptions() ) ); return http.build(); } } // Spring MVC响应处理防止XSS Component public class XssSanitizer { private final PolicyFactory policy SafetyPolicies.basic(); public String sanitize(String input) { if (input null) { return null; } return policy.sanitize(input); } } ControllerAdvice public class XssProtectionAdvice { Autowired private XssSanitizer sanitizer; InitBinder public void initBinder(WebDataBinder binder) { binder.registerCustomEditor(String.class, new PropertyEditorSupport() { Override public void setAsText(String text) { setValue(sanitizer.sanitize(text)); } }); } }二、认证与授权2.1 Spring Security配置Configuration EnableWebSecurity EnableMethodSecurity(prePostEnabled true) public class SecurityConfig { Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests(auth - auth .requestMatchers(/public/**, /actuator/health).permitAll() .requestMatchers(/admin/**).hasRole(ADMIN) .requestMatchers(/api/**).authenticated() .anyRequest().authenticated() ) .sessionManagement(session - session .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .maximumSessions(1) .maxSessionsPreventsLogin(true) ) .oauth2ResourceServer(oauth2 - oauth2 .jwt(jwt - jwt .jwtAuthenticationConverter(jwtAuthenticationConverter()) ) ) .csrf(csrf - csrf .ignoringRequestMatchers(/api/**) ); return http.build(); } Bean public JwtAuthenticationConverter jwtAuthenticationConverter() { JwtGrantedAuthorityConverter grantedAuthorityConverter new JwtGrantedAuthorityConverter(); grantedAuthorityConverter.setAuthoritiesClaimName(roles); grantedAuthorityConverter.setAuthorityPrefix(ROLE_); JwtAuthenticationConverter jwtAuthenticationConverter new JwtAuthenticationConverter(); jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter( grantedAuthorityConverter); return jwtAuthenticationConverter; } }2.2 自定义权限校验Service(permissionService) public class PermissionService { public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) { if (authentication null || targetDomainObject null || permission null) { return false; } String permissionString permission.toString(); String targetType targetDomainObject.getClass().getSimpleName(); return authentication.getAuthorities().stream() .anyMatch(auth - auth.getAuthority().equals( buildPermission(targetType, permissionString))); } private String buildPermission(String target, String action) { return String.format(PERMISSION_%s_%s, target.toUpperCase(), action.toUpperCase()); } } // 使用SpEL表达式进行权限校验 Service public class DocumentService { public Document findById(Long id) { Document doc documentRepository.findById(id) .orElseThrow(() - new DocumentNotFoundException(id)); // SpEL中的安全方法引用 return doc; } PreAuthorize(permissionService.hasPermission( #document, READ)) public void readDocument(Document document) { // 权限校验 } }三、数据安全3.1 敏感数据加密Service public class EncryptionService { private final String algorithm AES/GCM/NoPadding; private final int tagLength 128; private final int ivLength 12; Value(${encryption.secret-key}) private String secretKey; public String encrypt(String plaintext) { try { byte[] iv new byte[ivLength]; new SecureRandom().nextBytes(iv); Cipher cipher Cipher.getInstance(algorithm); GCMParameterSpec parameterSpec new GCMParameterSpec( tagLength, iv); cipher.init(Cipher.ENCRYPT_MODE, getSecretKey(), parameterSpec); byte[] ciphertext cipher.doFinal( plaintext.getBytes(StandardCharsets.UTF_8)); byte[] encrypted new byte[iv.length ciphertext.length]; System.arraycopy(iv, 0, encrypted, 0, iv.length); System.arraycopy(ciphertext, 0, encrypted, iv.length, ciphertext.length); return Base64.getEncoder().encodeToString(encrypted); } catch (Exception e) { throw new EncryptionException(加密失败, e); } } public String decrypt(String encryptedText) { try { byte[] decoded Base64.getDecoder().decode(encryptedText); byte[] iv Arrays.copyOfRange(decoded, 0, ivLength); byte[] ciphertext Arrays.copyOfRange(decoded, ivLength, decoded.length); Cipher cipher Cipher.getInstance(algorithm); GCMParameterSpec parameterSpec new GCMParameterSpec( tagLength, iv); cipher.init(Cipher.DECRYPT_MODE, getSecretKey(), parameterSpec); byte[] plaintext cipher.doFinal(ciphertext); return new String(plaintext, StandardCharsets.UTF_8); } catch (Exception e) { throw new EncryptionException(解密失败, e); } } private SecretKey getSecretKey() throws NoSuchAlgorithmException { byte[] keyBytes secretKey.getBytes(StandardCharsets.UTF_8); MessageDigest digest MessageDigest.getInstance(SHA-256); byte[] hash digest.digest(keyBytes); return new SecretKeySpec(Arrays.copyOf(hash, 32), AES); } }3.2 数据库字段加密Entity public class User { Id GeneratedValue(strategy GenerationType.IDENTITY) private Long id; Column(nullable false) private String username; Convert(converter EncryptedConverter.class) Column(name email_encrypted) private String email; Column(name password_hash, nullable false) private String passwordHash; Column(name ssn_encrypted) Convert(converter EncryptedConverter.class) private String ssn; } Converter public class EncryptedConverter implements AttributeConverterString, String { Autowired private EncryptionService encryptionService; Override public String convertToDatabaseColumn(String attribute) { if (attribute null) { return null; } return encryptionService.encrypt(attribute); } Override public String convertToEntityAttribute(String dbData) { if (dbData null) { return null; } return encryptionService.decrypt(dbData); } }四、安全HTTP头4.1 配置安全响应头Configuration public class SecurityHeadersConfig { Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http .headers(headers - headers .frameOptions(frame - frame.deny()) .contentTypeOptions(contentType - {}) .xssProtection(xss - xss .headerValue(XXssProtectionRequestMatcher .ENABLED_MODE_BLOCK) ) .contentSecurityPolicy(csp - csp .policyDirectives(default-src self; script-src self unsafe-inline; style-src self unsafe-inline; img-src self data: https:; connect-src self; font-src self;) ) .referrerPolicy(referrer - referrer.policy(ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)) .permissionsPolicy(permissions - permissions.policy(geolocation(), microphone(), camera())) ); return http.build(); } }五、密码安全5.1 密码加密和验证Service public class PasswordService { private final PasswordEncoder passwordEncoder; private static final int SALT_LENGTH 32; public PasswordService(Value(${password.bcrypt.strength:12}) int strength) { this.passwordEncoder new BCryptPasswordEncoder(strength); } public String hashPassword(String rawPassword) { if (rawPassword null) { throw new IllegalArgumentException(密码不能为空); } return passwordEncoder.encode(rawPassword); } public boolean verifyPassword(String rawPassword, String encodedPassword) { if (rawPassword null || encodedPassword null) { return false; } return passwordEncoder.matches(rawPassword, encodedPassword); } public boolean isPasswordStrongEnough(String password) { if (password null || password.length() 8) { return false; } boolean hasUpper false; boolean hasLower false; boolean hasDigit false; boolean hasSpecial false; for (char c : password.toCharArray()) { if (Character.isUpperCase(c)) hasUpper true; else if (Character.isLowerCase(c)) hasLower true; else if (Character.isDigit(c)) hasDigit true; else hasSpecial true; } int strength 0; if (hasUpper) strength; if (hasLower) strength; if (hasDigit) strength; if (hasSpecial) strength; return strength 3; } }5.2 密码历史记录Service public class PasswordHistoryService { Autowired private PasswordService passwordService; public boolean isPasswordReused(String username, String newPassword) { ListString previousPasswords getPreviousPasswords(username, 5); for (String oldPassword : previousPasswords) { if (passwordService.verifyPassword(newPassword, oldPassword)) { return true; } } return false; } public void savePasswordHistory(String username, String encodedPassword) { // 保存到密码历史表 passwordHistoryRepository.save(new PasswordHistory( username, encodedPassword, LocalDateTime.now())); } }六、API安全6.1 速率限制Configuration public class RateLimitingConfig { Bean public FilterRegistrationBeanRateLimitFilter rateLimitFilter( RateLimiter rateLimiter) { FilterRegistrationBeanRateLimitFilter registrationBean new FilterRegistrationBean(); registrationBean.setFilter(new RateLimitFilter(rateLimiter)); registrationBean.addUrlPatterns(/api/*); registrationBean.setOrder(1); return registrationBean; } Bean public RateLimiter rateLimiter() { return RateLimiter.builder(api-rate-limiter) .prefix(rate-limit:api) .costPerToken(1) .blockTimeout(Duration.ofSeconds(1)) .initialTokens(100) .build(); } } public class RateLimitFilter extends OncePerRequestFilter { private final RateLimiter rateLimiter; public RateLimitFilter(RateLimiter rateLimiter) { this.rateLimiter rateLimiter; } Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { String clientId getClientId(request); if (!rateLimiter.tryAcquire(clientId)) { response.setStatus(429); response.setContentType(application/json); response.getWriter().write( {\error\:\请求过于频繁请稍后再试\}); return; } filterChain.doFilter(request, response); } private String getClientId(HttpServletRequest request) { String clientId request.getHeader(X-Client-Id); if (clientId null) { clientId request.getRemoteAddr(); } return clientId; } }6.2 CORS配置Configuration public class CorsConfig { Bean public CorsConfigurationSource corsConfigurationSource() { CorsConfiguration configuration new CorsConfiguration(); configuration.setAllowedOriginPatterns(Arrays.asList( https://*.example.com, https://*.trusted-domain.com )); configuration.setAllowedMethods(Arrays.asList( GET, POST, PUT, DELETE, OPTIONS)); configuration.setAllowedHeaders(Arrays.asList( Authorization, Content-Type, X-Requested-With)); configuration.setExposedHeaders(Arrays.asList( X-Total-Count, X-Page-Number)); configuration.setAllowCredentials(true); configuration.setMaxAge(3600L); UrlBasedCorsConfigurationSource source new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration(/api/**, configuration); return source; } }七、安全日志与审计7.1 安全事件日志Component public class SecurityAuditLogger { private static final Logger auditLog LoggerFactory.getLogger( SECURITY_AUDIT); public void logLoginSuccess(String username, String ipAddress) { auditLog.info(LOGIN_SUCCESS user{} ip{}, username, ipAddress); } public void logLoginFailure(String username, String ipAddress, String reason) { auditLog.warn(LOGIN_FAILURE user{} ip{} reason{}, username, ipAddress, reason); } public void logAccessDenied(String username, String resource, String action) { auditLog.warn(ACCESS_DENIED user{} resource{} action{}, username, resource, action); } public void logSensitiveOperation(String username, String operation, MapString, Object details) { auditLog.info(SENSITIVE_OPERATION user{} operation{} details{}, username, operation, details); } }八、安全测试8.1 集成测试中的安全验证SpringBootTest AutoConfigureMockMvc class SecurityIntegrationTest { Autowired private MockMvc mockMvc; Test void shouldRejectUnauthenticatedAccess() throws Exception { mockMvc.perform(get(/api/orders)) .andExpect(status().isUnauthorized()); } Test WithMockUser(roles USER) void shouldRejectUnauthorizedAccess() throws Exception { mockMvc.perform(get(/api/admin/users)) .andExpect(status().isForbidden()); } Test void shouldPreventXSS() throws Exception { mockMvc.perform(get(/api/search) .param(q, scriptalert(xss)/script)) .andExpect(content().not(containsString(script))); } Test void shouldEnforceRateLimiting() throws Exception { for (int i 0; i 100; i) { mockMvc.perform(get(/api/public/data)); } mockMvc.perform(get(/api/public/data)) .andExpect(status().isTooManyRequests()); } }8.2 依赖安全扫描!-- Maven配置 -- plugin groupIdorg.owasp/groupId artifactIddependency-check-maven-plugin/artifactId version8.4.0/version configuration failBuildOnCVSS7/failBuildOnCVSS outputDirectory${project.build.directory}/owasp-reports/outputDirectory /configuration executions execution goals goalcheck/goal /goals /execution /executions /plugin总结Java安全编程需要开发者在多个层面保持警惕输入验证防止注入攻击正确的认证授权机制保护资源访问敏感数据加密保障数据安全配置安全HTTP头增强浏览器防护以及完善的日志审计追溯安全事件。Spring Security提供了强大而灵活的安全框架合理使用其特性可以有效防护常见安全威胁。同时安全测试应该贯穿开发全流程从单元测试到集成测试都要包含安全验证。构建安全的应用程序是一个持续的过程需要团队不断学习和改进。
Java安全编程最佳实践
Java安全编程最佳实践引言在当今数字化时代应用程序安全性已成为软件开发中不可忽视的重要方面。数据泄露、注入攻击、认证绕过等安全漏洞可能导致严重的业务损失和声誉损害。Java作为企业级应用的主流开发语言提供了丰富的安全特性但正确使用这些特性需要开发者深入理解安全编程原则。本文将全面介绍Java安全编程的核心概念、常见漏洞的防护方法、安全配置最佳实践以及安全测试策略帮助开发者构建更加安全的应用程序。一、OWASP Top 10与防护策略1.1 注入攻击防护SQL注入是最常见的注入攻击类型攻击者通过在用户输入中注入恶意SQL代码来操纵数据库查询。// 危险的SQL拼接方式 RestController public class UnsafeUserController { Autowired private JdbcTemplate jdbcTemplate; // 永远不要这样做 GetMapping(/users/search) public ListUser searchUsers(RequestParam String name) { String sql SELECT * FROM users WHERE name name ; return jdbcTemplate.queryForList(sql); } // 安全的参数化查询 GetMapping(/users/safe-search) public ListUser safeSearchUsers(RequestParam String name) { String sql SELECT * FROM users WHERE name ?; return jdbcTemplate.queryForList(sql, name); } } // JPA方式 - 天然防护SQL注入 Repository public interface UserRepository extends JpaRepositoryUser, Long { ListUser findByName(String name); Query(SELECT u FROM User u WHERE u.name :name) ListUser searchByName(Param(name) String name); }1.2 XSS防护跨站脚本攻击XSS允许攻击者在用户浏览器中执行恶意脚本。Configuration public class SecurityConfig { Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http .csrf(csrf - csrf .ignoringRequestMatchers(/api/**) // API端点禁用CSRF ) .headers(headers - headers .contentSecurityPolicy(csp - csp .policyDirectives(script-src self; style-src self unsafe-inline) ) .xssProtection(xss - xss .and() .contentTypeOptions() ) ); return http.build(); } } // Spring MVC响应处理防止XSS Component public class XssSanitizer { private final PolicyFactory policy SafetyPolicies.basic(); public String sanitize(String input) { if (input null) { return null; } return policy.sanitize(input); } } ControllerAdvice public class XssProtectionAdvice { Autowired private XssSanitizer sanitizer; InitBinder public void initBinder(WebDataBinder binder) { binder.registerCustomEditor(String.class, new PropertyEditorSupport() { Override public void setAsText(String text) { setValue(sanitizer.sanitize(text)); } }); } }二、认证与授权2.1 Spring Security配置Configuration EnableWebSecurity EnableMethodSecurity(prePostEnabled true) public class SecurityConfig { Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests(auth - auth .requestMatchers(/public/**, /actuator/health).permitAll() .requestMatchers(/admin/**).hasRole(ADMIN) .requestMatchers(/api/**).authenticated() .anyRequest().authenticated() ) .sessionManagement(session - session .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .maximumSessions(1) .maxSessionsPreventsLogin(true) ) .oauth2ResourceServer(oauth2 - oauth2 .jwt(jwt - jwt .jwtAuthenticationConverter(jwtAuthenticationConverter()) ) ) .csrf(csrf - csrf .ignoringRequestMatchers(/api/**) ); return http.build(); } Bean public JwtAuthenticationConverter jwtAuthenticationConverter() { JwtGrantedAuthorityConverter grantedAuthorityConverter new JwtGrantedAuthorityConverter(); grantedAuthorityConverter.setAuthoritiesClaimName(roles); grantedAuthorityConverter.setAuthorityPrefix(ROLE_); JwtAuthenticationConverter jwtAuthenticationConverter new JwtAuthenticationConverter(); jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter( grantedAuthorityConverter); return jwtAuthenticationConverter; } }2.2 自定义权限校验Service(permissionService) public class PermissionService { public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) { if (authentication null || targetDomainObject null || permission null) { return false; } String permissionString permission.toString(); String targetType targetDomainObject.getClass().getSimpleName(); return authentication.getAuthorities().stream() .anyMatch(auth - auth.getAuthority().equals( buildPermission(targetType, permissionString))); } private String buildPermission(String target, String action) { return String.format(PERMISSION_%s_%s, target.toUpperCase(), action.toUpperCase()); } } // 使用SpEL表达式进行权限校验 Service public class DocumentService { public Document findById(Long id) { Document doc documentRepository.findById(id) .orElseThrow(() - new DocumentNotFoundException(id)); // SpEL中的安全方法引用 return doc; } PreAuthorize(permissionService.hasPermission( #document, READ)) public void readDocument(Document document) { // 权限校验 } }三、数据安全3.1 敏感数据加密Service public class EncryptionService { private final String algorithm AES/GCM/NoPadding; private final int tagLength 128; private final int ivLength 12; Value(${encryption.secret-key}) private String secretKey; public String encrypt(String plaintext) { try { byte[] iv new byte[ivLength]; new SecureRandom().nextBytes(iv); Cipher cipher Cipher.getInstance(algorithm); GCMParameterSpec parameterSpec new GCMParameterSpec( tagLength, iv); cipher.init(Cipher.ENCRYPT_MODE, getSecretKey(), parameterSpec); byte[] ciphertext cipher.doFinal( plaintext.getBytes(StandardCharsets.UTF_8)); byte[] encrypted new byte[iv.length ciphertext.length]; System.arraycopy(iv, 0, encrypted, 0, iv.length); System.arraycopy(ciphertext, 0, encrypted, iv.length, ciphertext.length); return Base64.getEncoder().encodeToString(encrypted); } catch (Exception e) { throw new EncryptionException(加密失败, e); } } public String decrypt(String encryptedText) { try { byte[] decoded Base64.getDecoder().decode(encryptedText); byte[] iv Arrays.copyOfRange(decoded, 0, ivLength); byte[] ciphertext Arrays.copyOfRange(decoded, ivLength, decoded.length); Cipher cipher Cipher.getInstance(algorithm); GCMParameterSpec parameterSpec new GCMParameterSpec( tagLength, iv); cipher.init(Cipher.DECRYPT_MODE, getSecretKey(), parameterSpec); byte[] plaintext cipher.doFinal(ciphertext); return new String(plaintext, StandardCharsets.UTF_8); } catch (Exception e) { throw new EncryptionException(解密失败, e); } } private SecretKey getSecretKey() throws NoSuchAlgorithmException { byte[] keyBytes secretKey.getBytes(StandardCharsets.UTF_8); MessageDigest digest MessageDigest.getInstance(SHA-256); byte[] hash digest.digest(keyBytes); return new SecretKeySpec(Arrays.copyOf(hash, 32), AES); } }3.2 数据库字段加密Entity public class User { Id GeneratedValue(strategy GenerationType.IDENTITY) private Long id; Column(nullable false) private String username; Convert(converter EncryptedConverter.class) Column(name email_encrypted) private String email; Column(name password_hash, nullable false) private String passwordHash; Column(name ssn_encrypted) Convert(converter EncryptedConverter.class) private String ssn; } Converter public class EncryptedConverter implements AttributeConverterString, String { Autowired private EncryptionService encryptionService; Override public String convertToDatabaseColumn(String attribute) { if (attribute null) { return null; } return encryptionService.encrypt(attribute); } Override public String convertToEntityAttribute(String dbData) { if (dbData null) { return null; } return encryptionService.decrypt(dbData); } }四、安全HTTP头4.1 配置安全响应头Configuration public class SecurityHeadersConfig { Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http .headers(headers - headers .frameOptions(frame - frame.deny()) .contentTypeOptions(contentType - {}) .xssProtection(xss - xss .headerValue(XXssProtectionRequestMatcher .ENABLED_MODE_BLOCK) ) .contentSecurityPolicy(csp - csp .policyDirectives(default-src self; script-src self unsafe-inline; style-src self unsafe-inline; img-src self data: https:; connect-src self; font-src self;) ) .referrerPolicy(referrer - referrer.policy(ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)) .permissionsPolicy(permissions - permissions.policy(geolocation(), microphone(), camera())) ); return http.build(); } }五、密码安全5.1 密码加密和验证Service public class PasswordService { private final PasswordEncoder passwordEncoder; private static final int SALT_LENGTH 32; public PasswordService(Value(${password.bcrypt.strength:12}) int strength) { this.passwordEncoder new BCryptPasswordEncoder(strength); } public String hashPassword(String rawPassword) { if (rawPassword null) { throw new IllegalArgumentException(密码不能为空); } return passwordEncoder.encode(rawPassword); } public boolean verifyPassword(String rawPassword, String encodedPassword) { if (rawPassword null || encodedPassword null) { return false; } return passwordEncoder.matches(rawPassword, encodedPassword); } public boolean isPasswordStrongEnough(String password) { if (password null || password.length() 8) { return false; } boolean hasUpper false; boolean hasLower false; boolean hasDigit false; boolean hasSpecial false; for (char c : password.toCharArray()) { if (Character.isUpperCase(c)) hasUpper true; else if (Character.isLowerCase(c)) hasLower true; else if (Character.isDigit(c)) hasDigit true; else hasSpecial true; } int strength 0; if (hasUpper) strength; if (hasLower) strength; if (hasDigit) strength; if (hasSpecial) strength; return strength 3; } }5.2 密码历史记录Service public class PasswordHistoryService { Autowired private PasswordService passwordService; public boolean isPasswordReused(String username, String newPassword) { ListString previousPasswords getPreviousPasswords(username, 5); for (String oldPassword : previousPasswords) { if (passwordService.verifyPassword(newPassword, oldPassword)) { return true; } } return false; } public void savePasswordHistory(String username, String encodedPassword) { // 保存到密码历史表 passwordHistoryRepository.save(new PasswordHistory( username, encodedPassword, LocalDateTime.now())); } }六、API安全6.1 速率限制Configuration public class RateLimitingConfig { Bean public FilterRegistrationBeanRateLimitFilter rateLimitFilter( RateLimiter rateLimiter) { FilterRegistrationBeanRateLimitFilter registrationBean new FilterRegistrationBean(); registrationBean.setFilter(new RateLimitFilter(rateLimiter)); registrationBean.addUrlPatterns(/api/*); registrationBean.setOrder(1); return registrationBean; } Bean public RateLimiter rateLimiter() { return RateLimiter.builder(api-rate-limiter) .prefix(rate-limit:api) .costPerToken(1) .blockTimeout(Duration.ofSeconds(1)) .initialTokens(100) .build(); } } public class RateLimitFilter extends OncePerRequestFilter { private final RateLimiter rateLimiter; public RateLimitFilter(RateLimiter rateLimiter) { this.rateLimiter rateLimiter; } Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { String clientId getClientId(request); if (!rateLimiter.tryAcquire(clientId)) { response.setStatus(429); response.setContentType(application/json); response.getWriter().write( {\error\:\请求过于频繁请稍后再试\}); return; } filterChain.doFilter(request, response); } private String getClientId(HttpServletRequest request) { String clientId request.getHeader(X-Client-Id); if (clientId null) { clientId request.getRemoteAddr(); } return clientId; } }6.2 CORS配置Configuration public class CorsConfig { Bean public CorsConfigurationSource corsConfigurationSource() { CorsConfiguration configuration new CorsConfiguration(); configuration.setAllowedOriginPatterns(Arrays.asList( https://*.example.com, https://*.trusted-domain.com )); configuration.setAllowedMethods(Arrays.asList( GET, POST, PUT, DELETE, OPTIONS)); configuration.setAllowedHeaders(Arrays.asList( Authorization, Content-Type, X-Requested-With)); configuration.setExposedHeaders(Arrays.asList( X-Total-Count, X-Page-Number)); configuration.setAllowCredentials(true); configuration.setMaxAge(3600L); UrlBasedCorsConfigurationSource source new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration(/api/**, configuration); return source; } }七、安全日志与审计7.1 安全事件日志Component public class SecurityAuditLogger { private static final Logger auditLog LoggerFactory.getLogger( SECURITY_AUDIT); public void logLoginSuccess(String username, String ipAddress) { auditLog.info(LOGIN_SUCCESS user{} ip{}, username, ipAddress); } public void logLoginFailure(String username, String ipAddress, String reason) { auditLog.warn(LOGIN_FAILURE user{} ip{} reason{}, username, ipAddress, reason); } public void logAccessDenied(String username, String resource, String action) { auditLog.warn(ACCESS_DENIED user{} resource{} action{}, username, resource, action); } public void logSensitiveOperation(String username, String operation, MapString, Object details) { auditLog.info(SENSITIVE_OPERATION user{} operation{} details{}, username, operation, details); } }八、安全测试8.1 集成测试中的安全验证SpringBootTest AutoConfigureMockMvc class SecurityIntegrationTest { Autowired private MockMvc mockMvc; Test void shouldRejectUnauthenticatedAccess() throws Exception { mockMvc.perform(get(/api/orders)) .andExpect(status().isUnauthorized()); } Test WithMockUser(roles USER) void shouldRejectUnauthorizedAccess() throws Exception { mockMvc.perform(get(/api/admin/users)) .andExpect(status().isForbidden()); } Test void shouldPreventXSS() throws Exception { mockMvc.perform(get(/api/search) .param(q, scriptalert(xss)/script)) .andExpect(content().not(containsString(script))); } Test void shouldEnforceRateLimiting() throws Exception { for (int i 0; i 100; i) { mockMvc.perform(get(/api/public/data)); } mockMvc.perform(get(/api/public/data)) .andExpect(status().isTooManyRequests()); } }8.2 依赖安全扫描!-- Maven配置 -- plugin groupIdorg.owasp/groupId artifactIddependency-check-maven-plugin/artifactId version8.4.0/version configuration failBuildOnCVSS7/failBuildOnCVSS outputDirectory${project.build.directory}/owasp-reports/outputDirectory /configuration executions execution goals goalcheck/goal /goals /execution /executions /plugin总结Java安全编程需要开发者在多个层面保持警惕输入验证防止注入攻击正确的认证授权机制保护资源访问敏感数据加密保障数据安全配置安全HTTP头增强浏览器防护以及完善的日志审计追溯安全事件。Spring Security提供了强大而灵活的安全框架合理使用其特性可以有效防护常见安全威胁。同时安全测试应该贯穿开发全流程从单元测试到集成测试都要包含安全验证。构建安全的应用程序是一个持续的过程需要团队不断学习和改进。
