Skip to content

Commit de73eb2

Browse files
author
archcentric
committed
upload security lab
1 parent 9f5fa53 commit de73eb2

File tree

20 files changed

+473
-0
lines changed

20 files changed

+473
-0
lines changed

README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@ oauth2lab
1111
5. [Postman](https://www.getpostman.com/)
1212
6. [Eclipse STS](https://spring.io/tools)
1313
7. [Android Studio](https://developer.android.com/studio/index.html)
14+
8. [Firefox Browser](http://rj.baidu.com/soft/detail/10365.html)
15+
9. [NoRedirect Add on for Firefox](https://addons.mozilla.org/en-US/firefox/addon/noredirect/)
1416

1517
# 实验目录
1618
1. [lab01](lab01)~授权服务器实验

lab07/README.md

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
跨站点请求伪造(CSRF)安全实验
2+
======
3+
4+
# 操作方式
5+
6+
### 1. 安装Firefox浏览器和NoRedirect Add on for Firefox
7+
* [Firefox Browser](http://rj.baidu.com/soft/detail/10365.html)
8+
* [NoRedirect Add on for Firefox](https://addons.mozilla.org/en-US/firefox/addon/noredirect/)
9+
10+
`http://localhost:8080`加入NoRedirect设置的规则列表,选中`来源`,并将该规则置顶。
11+
12+
### 2. 启动授权服务器state-oauth2server,端口8080
13+
14+
### 3. 启动Web客户端应用state-client,端口9000
15+
16+
### 4. 使用Firefox浏览器获取授权码
17+
18+
使用黑客账号`attacker/xyz`进行登录认证,注意请求不带**state**
19+
20+
```
21+
http://localhost:8080/oauth/authorize?client_id=clientapp&redirect_uri=http
22+
://localhost:9000/resource&response_type=code&scope=read+write
23+
```
24+
获取授权码返回链接被NoRedirect截获,复制该链接
25+
26+
```
27+
http://localhost:9000/resource?code=So3A96
28+
```
29+
30+
### 5. 使用Chrome浏览器登录`http://loalhost:9000`
31+
32+
使用正常用户账号`bobo/xyz`进行登录认证
33+
34+
在浏览器地址栏粘贴上面复制的授权码返回链接,并请求,Spring Security OAuth2 client会进行state校验并报错:
35+
36+
```
37+
Possible CSRF detected - state parameter was required but no state could be found
38+
```

lab07/state-param-security/state-client/.gitignore

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
target/
2+
!.mvn/wrapper/maven-wrapper.jar
3+
4+
### STS ###
5+
.apt_generated
6+
.classpath
7+
.factorypath
8+
.project
9+
.settings
10+
.springBeans
11+
12+
### IntelliJ IDEA ###
13+
.idea
14+
*.iws
15+
*.iml
16+
*.ipr
17+
18+
### NetBeans ###
19+
nbproject/private/
20+
build/
21+
nbbuild/
22+
dist/
23+
nbdist/
24+
.nb-gradle/

lab07/state-param-security/state-client/pom.xml

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
3+
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
4+
<modelVersion>4.0.0</modelVersion>
5+
6+
<groupId>io.spring2go.oauth2</groupId>
7+
<artifactId>state-client</artifactId>
8+
<version>0.0.1-SNAPSHOT</version>
9+
<packaging>jar</packaging>
10+
11+
<name>state-client</name>
12+
<description>Demo project for Spring Boot</description>
13+
14+
<parent>
15+
<groupId>org.springframework.boot</groupId>
16+
<artifactId>spring-boot-starter-parent</artifactId>
17+
<version>1.5.10.RELEASE</version>
18+
<relativePath/> <!-- lookup parent from repository -->
19+
</parent>
20+
21+
<properties>
22+
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
23+
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
24+
<java.version>1.8</java.version>
25+
</properties>
26+
27+
<dependencies>
28+
<dependency>
29+
<groupId>org.springframework.boot</groupId>
30+
<artifactId>spring-boot-starter-security</artifactId>
31+
</dependency>
32+
<dependency>
33+
<groupId>org.springframework.boot</groupId>
34+
<artifactId>spring-boot-starter-web</artifactId>
35+
</dependency>
36+
<dependency>
37+
<groupId>org.springframework.boot</groupId>
38+
<artifactId>spring-boot-starter-thymeleaf</artifactId>
39+
</dependency>
40+
<dependency>
41+
<groupId>org.springframework.security.oauth</groupId>
42+
<artifactId>spring-security-oauth2</artifactId>
43+
</dependency>
44+
</dependencies>
45+
46+
<build>
47+
<plugins>
48+
<plugin>
49+
<groupId>org.springframework.boot</groupId>
50+
<artifactId>spring-boot-maven-plugin</artifactId>
51+
</plugin>
52+
</plugins>
53+
</build>
54+
55+
56+
</project>

lab07/state-param-security/state-client/src/main/java/io/spring2go/oauth2/clientstate/ClientStateApplication.java

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
package io.spring2go.oauth2.clientstate;
2+
3+
import org.springframework.boot.SpringApplication;
4+
import org.springframework.boot.autoconfigure.SpringBootApplication;
5+
6+
@SpringBootApplication
7+
public class ClientStateApplication {
8+
9+
public static void main(String[] args) {
10+
SpringApplication.run(ClientStateApplication.class, args);
11+
}
12+
}

lab07/state-param-security/state-client/src/main/java/io/spring2go/oauth2/clientstate/HomeController.java

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
package io.spring2go.oauth2.clientstate;
2+
3+
import org.springframework.beans.factory.annotation.Autowired;
4+
import org.springframework.security.core.context.SecurityContextHolder;
5+
import org.springframework.security.core.userdetails.User;
6+
import org.springframework.security.oauth2.client.OAuth2RestTemplate;
7+
import org.springframework.stereotype.Controller;
8+
import org.springframework.web.bind.annotation.GetMapping;
9+
import org.springframework.web.servlet.ModelAndView;
10+
11+
@Controller
12+
public class HomeController {
13+
14+
@Autowired
15+
private OAuth2RestTemplate restTemplate;
16+
17+
@GetMapping("/")
18+
public ModelAndView home() {
19+
User user = (User) SecurityContextHolder
20+
.getContext().getAuthentication().getPrincipal();
21+
ModelAndView mv = new ModelAndView("home");
22+
mv.addObject("username", user.getUsername());
23+
return mv;
24+
}
25+
26+
@GetMapping("/resource")
27+
public ModelAndView resource() {
28+
String result = restTemplate
29+
.getForObject("http://localhost:8080/api/username", String.class);
30+
31+
ModelAndView mv = new ModelAndView("resource");
32+
mv.addObject("result", result);
33+
return mv;
34+
}
35+
36+
}

lab07/state-param-security/state-client/src/main/java/io/spring2go/oauth2/clientstate/OAuth2Configuration.java

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
package io.spring2go.oauth2.clientstate;
2+
3+
import org.springframework.context.annotation.Bean;
4+
import org.springframework.context.annotation.Configuration;
5+
import org.springframework.security.oauth2.client.OAuth2ClientContext;
6+
import org.springframework.security.oauth2.client.OAuth2RestTemplate;
7+
import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
8+
import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails;
9+
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableOAuth2Client;
10+
11+
@Configuration @EnableOAuth2Client
12+
public class OAuth2Configuration {
13+
14+
@Bean
15+
public OAuth2ProtectedResourceDetails authorizationCode() {
16+
AuthorizationCodeResourceDetails details =
17+
new AuthorizationCodeResourceDetails();
18+
details.setId("oauth2server");
19+
details.setClientId("clientapp");
20+
details.setClientSecret("112233");
21+
details.setUseCurrentUri(true);
22+
details.setUserAuthorizationUri("http://localhost:8080/oauth/authorize");
23+
details.setAccessTokenUri("http://localhost:8080/oauth/token");
24+
return details;
25+
}
26+
27+
@Bean
28+
public OAuth2RestTemplate restTemplate(OAuth2ClientContext context) {
29+
return new OAuth2RestTemplate(authorizationCode(), context);
30+
}
31+
32+
}

lab07/state-param-security/state-client/src/main/resources/application.properties

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
server.port=9000
2+
server.session.cookie.name=client_session
3+
security.user.name=bobo
4+
security.user.password=xyz

lab07/state-param-security/state-client/src/main/resources/templates/home.html

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
<!DOCTYPE html>
2+
<html xmlns="http://www.w3.org/1999/xhtml"
3+
xmlns:th="http://www.thymeleaf.org">
4+
<body>
5+
<div style="border: 3px solid black; width: 30%; padding: 10px">
6+
<h1>Hello</h1>
7+
<span th:text="${username}"></span>
8+
<div>
9+
<a th:href="@{/resource}">Get resource</a>
10+
</div>
11+
</div>
12+
</body>
13+
</html>

lab07/state-param-security/state-client/src/main/resources/templates/resource.html

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
<!DOCTYPE html>
2+
<html xmlns="http://www.w3.org/1999/xhtml"
3+
xmlns:th="http://www.thymeleaf.org">
4+
<body>
5+
<div style="border: 3px solid black; width: 30%; padding: 10px">
6+
<h1>That's the result</h1>
7+
<p>result:<span th:text="${result}"></span></p>
8+
</div>
9+
</body>
10+
</html>

0 commit comments

Comments
 (0)