by emanjusaka from https://www.emanjusaka.top/2024/04/shiro-request-chinese-error-400 彼岸花开可奈何
本文欢迎分享与聚合,全文转载请留下原文地址。
当我们的项目中引入了 Shiro 后,带有中文的请求路径会被拦截并返回 400 的错误。一般我们的请求路径是不会带有中文字符,但当我们访问静态资源时那些文件是有可能是中文名称的。比如通过 SpringBoot 的静态资源映射预览上传的图片,这些上传的图片名称就可能是中文的。在没有引入 Shiro 的项目中是可以正常预览的,但引入了 Shiro 的项目中预览这些文件时就会遇到报错 400 的问题。
造成错误的原因
造成这个问题的是原因是 Shiro 有一个全局的拦截器InvalidRequestFilter,它会检查请求的路径是否合法,如果不合法就会阻止该请求进一步处理并返回 400 的错误。带有中文的请求路径正是它认为不合法的情况之一。该请求过滤器在请求 URI 中发现以下字符都会认为其不合法并阻止该请求:
分号:可以通过设置 blockSemicolon = false 来禁用
反斜杠:可以通过设置 blockBackslash = false 来禁用
非 ascii 字符-可以通过设置 blockNonAscii = false 来禁用,禁用此检查的功能将在将来的版本中删除。
路径遍历-可以通过设置 blockTraversal = false 来禁用
检查的路径
@Override protected boolean isAccessAllowed(ServletRequest req, ServletResponse response, Object mappedValue) throws Exception { HttpServletRequest request = WebUtils.toHttp(req); // check the original and decoded values return isValid(request.getRequestURI()) // user request string (not decoded) && isValid(request.getServletPath()) // decoded servlet part && isValid(request.getPathInfo()); // decoded path info (may be null) }
复制代码
它会检查请求的各个组成部分,包括原始请求 URI、解码后的 servlet 路径和解码后的路径信息是否符合特定的规则或格式。也就是是否包含分号、反斜杠、非 ascii 字符和路径遍历,如果包含这些东西的某一个都表明是不合法的,isAccessAllowed 方法就会返回 false,从而阻止此次请求的进一步处理。
requestURI、servletPath 和 pathInfo 的区别
HttpServletRequest 类中的 getRequestURI()、getServletPath() 和 getPathInfo() 这三个方法分别提供了不同层次的请求路径信息:
request.getRequestURI():返回的是客户端发送的完整请求 URI,也就是请求行中的请求资源部分,不包含协议、主机名和端口号,但包括查询参数(如果有)。示例:如果请求是 https://www.emanjusaka.top/context-path/some/path?param=value,则 getRequestURI() 返回 /context-path/some/path?param=value。
request.getServletPath():返回的是匹配到当前 Servlet 的路径部分,这部分路径是根据 web.xml 或 Spring MVC 的 @RequestMapping 注解等配置确定的。示例:如果请求是 https://www.emanjusaka.top/context-path/my-app/some/path,假设 /my-app/* 匹配到了一个 Servlet,则 getServletPath() 返回 /my-app/some(具体值取决于 Servlet 映射配置)。
request.getPathInfo():返回的是请求 URI 中除 Servlet 路径之外的部分,这部分被称为路径信息(Path Info),通常包含匹配 Servlet 之后剩余的具体资源路径。继续上面的示例,对于请求 https://www.emanjusaka.top/context-path/my-app/some/path,getPathInfo() 返回 /path,因为 /some/path 超出了 /my-app/* 的 Servlet 映射,/some 是 Servlet 路径,而 /path 是额外的路径信息。
总结起来,getRequestURI() 是整个请求资源路径,包括可能存在的查询参数;getServletPath() 是匹配到的 Servlet 路径;而 getPathInfo() 是请求资源路径中超出 Servlet 映射的那一部分。
解决方案
下面给出两种解决方案:
方案一:
@Configuration@Slf4jpublic class ShiroConfig { @Bean public InvalidRequestFilter invalidRequestFilter() { InvalidRequestFilter invalidRequestFilter = new InvalidRequestFilter(); invalidRequestFilter.setBlockNonAscii(false); return invalidRequestFilter; } @Bean public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) { ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); shiroFilterFactoryBean.setSecurityManager(securityManager); Map<String, String> map = new LinkedHashMap<>(); //登出 map.put("/logout", "logout"); //登录 map.put("/login/**", "anon"); //对所有用户认证 map.put("/**", "authc"); //登录 shiroFilterFactoryBean.setLoginUrl(loginUrl); //首页 shiroFilterFactoryBean.setSuccessUrl("/index"); //错误页面,认证不通过跳转 shiroFilterFactoryBean.setUnauthorizedUrl("/error"); shiroFilterFactoryBean.setFilterChainDefinitionMap(map); HashMap<String, Filter> filterMap = new LinkedHashMap<>(); filterMap.put("invalidRequest", invalidRequestFilter()); shiroFilterFactoryBean.setFilters(filterMap); return shiroFilterFactoryBean; } //... 省略其他配置}
复制代码
方案二:
自定义的 CNInvalidRequestFilter,把 InvalidRequestFilter 的代码复制了过来,只修改其中一小部分,在不影响原始功能的情况下,让中文字符的请求路径通过检查。
package top.emanjusaka.filter;
import org.apache.shiro.web.filter.AccessControlFilter;import org.apache.shiro.web.util.WebUtils;import org.springframework.stereotype.Component;import org.springframework.util.StringUtils;
import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;import java.util.Arrays;import java.util.Collections;import java.util.List;import java.util.Objects;import java.util.stream.Stream;
@Componentpublic class CNInvalidRequestFilter extends AccessControlFilter { private static final List<String> SEMICOLON = Collections.unmodifiableList(Arrays.asList(";", "%3b", "%3B")); private static final List<String> BACKSLASH = Collections.unmodifiableList(Arrays.asList("\\", "%5c", "%5C")); private boolean blockSemicolon = true; private boolean blockBackslash = !Boolean.getBoolean("org.apache.shiro.web.ALLOW_BACKSLASH"); private boolean blockNonAscii = true;
protected boolean isAccessAllowed(ServletRequest req, ServletResponse response, Object mappedValue) throws Exception { HttpServletRequest request = WebUtils.toHttp(req); return this.isValid(request.getRequestURI()) && this.isValid(request.getServletPath()) && this.isValid(request.getPathInfo()); }
private boolean isValid(String uri) { return !StringUtils.hasText(uri) || !this.containsSemicolon(uri) && !this.containsBackslash(uri) && !this.containsNonAsciiCharacters(uri); }
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception { WebUtils.toHttp(response).sendError(400, "Invalid request"); return false; }
private boolean containsSemicolon(String uri) { if (this.isBlockSemicolon()) { Stream<String> var10000 = SEMICOLON.stream(); Objects.requireNonNull(uri); return var10000.anyMatch(uri::contains); } else { return false; } }
private boolean containsBackslash(String uri) { if (this.isBlockBackslash()) { Stream<String> var10000 = BACKSLASH.stream(); Objects.requireNonNull(uri); return var10000.anyMatch(uri::contains); } else { return false; } }
private boolean containsNonAsciiCharacters(String uri) { if (this.isBlockNonAscii()) { return !containsOnlyPrintableAsciiCharacters(uri); } else { return false; } }
private boolean isChinese(char c) { Character.UnicodeBlock ub = Character.UnicodeBlock.of(c); return ub == Character.UnicodeBlock.CJK_UNIFIED_IDEOGRAPHS || ub == Character.UnicodeBlock.CJK_COMPATIBILITY_IDEOGRAPHS || ub == Character.UnicodeBlock.CJK_UNIFIED_IDEOGRAPHS_EXTENSION_A || ub == Character.UnicodeBlock.CJK_UNIFIED_IDEOGRAPHS_EXTENSION_B || ub == Character.UnicodeBlock.CJK_SYMBOLS_AND_PUNCTUATION || ub == Character.UnicodeBlock.HALFWIDTH_AND_FULLWIDTH_FORMS || ub == Character.UnicodeBlock.GENERAL_PUNCTUATION; }
private boolean containsOnlyPrintableAsciiCharacters(String uri) { int length = uri.length();
for (int i = 0; i < length; ++i) { char c = uri.charAt(i); if ((c < ' ' || c > '~') && !isChinese(c)) { return false; } }
return true; }
public boolean isBlockSemicolon() { return this.blockSemicolon; }
public void setBlockSemicolon(boolean blockSemicolon) { this.blockSemicolon = blockSemicolon; }
public boolean isBlockBackslash() { return this.blockBackslash; }
public void setBlockBackslash(boolean blockBackslash) { this.blockBackslash = blockBackslash; }
public boolean isBlockNonAscii() { return this.blockNonAscii; }
public void setBlockNonAscii(boolean blockNonAscii) { this.blockNonAscii = blockNonAscii; }}
复制代码
配置自定义的过滤器到 shiro 中
@Configuration@Slf4jpublic class ShiroConfig { @Bean public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) { ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); shiroFilterFactoryBean.setSecurityManager(securityManager); Map<String, String> map = new LinkedHashMap<>(); //登出 map.put("/logout", "logout"); //登录 map.put("/login/**", "anon"); //对所有用户认证 map.put("/**", "authc"); //登录 shiroFilterFactoryBean.setLoginUrl(loginUrl); //首页 shiroFilterFactoryBean.setSuccessUrl("/index"); //错误页面,认证不通过跳转 shiroFilterFactoryBean.setUnauthorizedUrl("/error"); shiroFilterFactoryBean.setFilterChainDefinitionMap(map); HashMap<String, Filter> filterMap = new LinkedHashMap<>(); filterMap.put("invalidRequest", new CNInvalidRequestFilter()); shiroFilterFactoryBean.setFilters(filterMap); return shiroFilterFactoryBean; } //... 省略其他配置}
复制代码
参考资料
https://blog.pressed.top/2021/03/26/springboot_shiro/#InvalidRequestFilter
在技术的星河中遨游,我们互为引路星辰,共同追逐成长的光芒。愿本文的洞见能触动您的思绪,若有所共鸣,请以点赞之手,轻抚赞同的弦。
原文地址: https://www.emanjusaka.top/2024/04/shiro-request-chinese-error-400
微信公众号:emanjusaka 的编程栈
评论