[SpringBlade-Privilege Defects] API Authentication Logic Defect Vulnerabilities

Directory

1. Theoretical part

Introduction

How to pass the certification

API authentication

Configure API release

Fine-grained authentication configuration

end

2. Practical part

1. Theoretical part

Introduction

  • Secure is based on JWT encapsulation. Every time a request is made, the API request that needs to be authenticated will be intercepted, and the Token carried in the request header will be authenticated.
  • If the token expires, does not exist, or is wrong, the authentication will fail, and then the corresponding API cannot be accessed.
  • SpringBlade’s security framework Secure in Blade-Tool
  • This chapter introduces the basic usage of Secure.

How to pass the certification

  1. First, you need to access the Auth interface, pass in the account name and password, and obtain the information after the authorization is successful.
  2. Start AuthApplication, UserApplication, BladeLogApplication three services
  3. Call http://localhost/blade-auth/token to pass in the corresponding parameters, as shown in the figure below, it means that the authentication information is obtained successfully
    ("c3dvcmQ6c3dvcmRfc2VjcmV0" is the base64 encoding converted from the clientId:clientSecret string, this is variable)

4. Get tokenType and accessToken from the returned Json, splice them together and separate them with commas

5. Set the request header to blade-auth, and the corresponding value of the request header is tokenType + ' ' + accessToken (All subsequent interface calls need to bring the request header as Authorization and the value is c3dvcmQ6c3dvcmRfc2VjcmV0)

6. Call http://localhost/blade-demo/api/info?name=Chill again and find that Hello, My Name Is: Chill is returned, indicating that the authentication is successful!

7. In theory, all business APIs need to be authenticated to ensure the security of the entire system. However, there are some special cases where APIs can be called without authentication. Here, the Secure API release configuration is required.

8. Even if the authentication of some business APIs is successful, it may be necessary to determine whether it can be called based on the role permissions. Here, Secure’s finer-grained authentication configuration is required.

Extended: passwords may be encrypted twice

For example, this admin is md5 encrypted

Fill in the obtained Authorization and Blade-Auth

(Just fill in name:vulue in the request parameter Params)

API Authentication

Configure API release

  1. If you use the SpringBoot version, go to the corresponding configuration file and add the interface release configuration

2. If you use SpringCloud, open nacos, find the corresponding configuration file and add the interface release configuration

3. If you need to intercept all requests under a certain api, you can change it to /api/**, where ** represents all requests from the lower layer

4. Restart the project and remove the request header. You can see that the request is successful, indicating that the API release configuration is successful

Fine-grained authentication configuration

  1. The authentication configuration uses the @PreAuth annotation of the Secure module
  2. In order to be able to play the role of comparison, release the permission of count (as long as the token authentication is passed, the API can be called).
@GetMapping("count")
@PreAuth("permitAll()")
public Integer count(Integer cnt) {
   return cnt * 10;
}

3. Judging the authority of info, the caller needs to have the role authority of test to call

@GetMapping("info")
@PreAuth("hasRole('test')")
public String info(String name) {
   return "Hello, My Name Is: " + name;
}

4. Call /api/count to find that the request is successful.

5. Calling /api/info found that it changed back to Request Unauthorized, because our admin account is not assigned test code>role

6. Try to change back to admin permission

@GetMapping("info")
@PreAuth("hasRole('administrator')")
public String info(String name) {
   return "Hello, My Name Is: " + name;
}

7. Call /api/info to find that the request is successful.

End

  • The Secure framework implements two layers of API authentication.
  • The first layer verifies whether the Token carried in the request is legal, and those that do not require Token verification can be released through configuration.
  • The second layer checks whether the logic of the @PreAuth configuration is met, and returns Request Unauthorized if not.
  • The annotation @PreAuth supports class level and method level, and put it in the class level to authenticate all methods of the class.
  • The annotation @PreAuth also supports Spring el expressions, which is very scalable, and more functions are waiting for you to explore~
  • Spring el document address: Spring Framework Reference Documentation

2. Practical part

README.md Book Bansheng/Network Security Knowledge System-Actual Center-Code Cloud-Open Source China (gitee.com)icon-default.png?t=N5K3https:/ /gitee.com/shubansheng/Treasure_knowledge/blob/master/README.md

GitHub – BLACKxZONE/Treasure_knowledgeicon-default.png?t=N5K3https://github.com/BLACKxZONE/Treasure_knowledge

For more information, please refer to the springBlade development manual:

https://www.kancloud.cn/smallchill/blade/