add auth

Author: JoyChou93

README.md

@@ -11,6 +11,27 @@ This project can also be called Java vulnerability code.
 
 Each vulnerability type code has a security vulnerability by default unless there is no vulnerability. The relevant fix code is in the comments or code. Specifically, you can view each vulnerability code and comments.
 
+## Authenticate
+
+### Login
+
+[http://localhost:8080/login](http://localhost:8080/login)
+
+If you are not logged in, accessing any page will redirect you to the login page. The username & password are as follows.
+
+```
+admin/admin123
+joychou/joychou123
+```
+
+### Logout
+
+[http://localhost:8080/logout](http://localhost:8080/logout)
+
+### RememberMe
+
+Tomcat's default JSESSION session is valid for 30 minutes, so a 30-minute non-operational session will expire. In order to solve this problem, the rememberMe function is introduced, and the default expiration time is 2 weeks.
+
 ## Vulnerability Code
 
 Sort by letter.

README_zh.md

@@ -10,6 +10,26 @@
 
 每个漏洞类型代码默认存在安全漏洞（除非本身不存在漏洞），相关修复代码在注释里。具体可查看每个漏洞代码和注释。
 
+## 认证
+
+### 登录
+
+[http://localhost:8080/login](http://localhost:8080/login)
+
+如果未登录，访问任何页面都会重定向到login页面。用户名和密码如下。
+
+```
+admin/admin123
+joychou/joychou123
+```
+### 登出
+
+[http://localhost:8080/logout](http://localhost:8080/logout)
+
+### 记住我
+
+Tomcat默认JSESSION会话有效时间为30分钟，所以30分钟不操作会话将过期。为了解决这一问题，引入rememberMe功能，默认过期时间为2周。
+
 ## 漏洞代码
 
 - [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback-online.xml)

src/main/java/org/joychou/controller/CORS.java

@@ -1,10 +1,10 @@
 package org.joychou.controller;
 
 import org.joychou.security.SecurityUtil;
-import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.joychou.controller.jsonp.JSONP;
+import org.springframework.web.bind.annotation.RestController;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -15,15 +15,14 @@
  * @desc    https://github.com/JoyChou93/java-sec-code/wiki/CORS
  */
 
-@Controller
+@RestController
 @RequestMapping("/cors")
 public class CORS {
 
     protected static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}";
     protected static String[] urlwhitelist = {"joychou.com", "joychou.me"};
 
     @RequestMapping("/vuls1")
-    @ResponseBody
     private static String vuls1(HttpServletRequest request, HttpServletResponse response) {
         // 获取Header中的Origin
         String origin = request.getHeader("origin");
@@ -33,7 +32,6 @@ private static String vuls1(HttpServletRequest request, HttpServletResponse resp
     }
 
     @RequestMapping("/vuls2")
-    @ResponseBody
     private static String vuls2(HttpServletResponse response) {
         // 不建议设置为*
         // 后端设置Access-Control-Allow-Origin为*的情况下，跨域的时候前端如果设置withCredentials为true会异常
@@ -43,15 +41,13 @@ private static String vuls2(HttpServletResponse response) {
 
     @CrossOrigin("*")
     @RequestMapping("/vuls3")
-    @ResponseBody
     private static String vuls3(HttpServletResponse response) {
         return info;
     }
 
 
     @RequestMapping("/sec")
-    @ResponseBody
-    private static String seccode(HttpServletRequest request, HttpServletResponse response) {
+    public String seccode(HttpServletRequest request, HttpServletResponse response) {
         String origin = request.getHeader("Origin");
 
         // 如果origin不为空并且origin不在白名单内，认定为不安全。
@@ -61,7 +57,7 @@ private static String seccode(HttpServletRequest request, HttpServletResponse re
         }
         response.setHeader("Access-Control-Allow-Origin", origin);
         response.setHeader("Access-Control-Allow-Credentials", "true");
-        return info;
+        return JSONP.getUserInfo(request);
     }
 
 

src/main/java/org/joychou/controller/CSRF.java

@@ -7,20 +7,18 @@
 import org.springframework.web.bind.annotation.ResponseBody;
 
 /**
- * @author  JoyChou ([email protected])
- * @date    2019.05.31
- * @desc    check csrf using spring-security
- * @usage   Access http://localhost:8080/csrf/ -> click submit
+ * check csrf using spring-security
+ * Access http://localhost:8080/csrf/ -> click submit
+ *
+ * @author  JoyChou ([email protected]) @2019-05-31
  */
-
-
 @Controller
 @RequestMapping("/csrf")
 public class CSRF {
 
     @GetMapping("/")
     public String index() {
-        return "csrfTest";
+        return "form";
     }
 
     @PostMapping("/post")

src/main/java/org/joychou/controller/Index.java

@@ -6,6 +6,7 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpServletRequest;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -18,11 +19,14 @@
 
 @Controller
 public class Index {
-    @RequestMapping("/")
+    @RequestMapping("/index")
     @ResponseBody
-    public static String index() {
+    public static String index(HttpServletRequest request) {
+        String username = request.getUserPrincipal().getName();
         Map m = new HashMap();
-        m.put("app_name", "java_vul_code");
+        m.put("username", username);
+        m.put("login", "success");
+        m.put("app_name", "java security code");
         m.put("java_version", System.getProperty("java.version"));
         m.put("fastjson_version", JSON.VERSION);
 

src/main/java/org/joychou/controller/Login.java

@@ -0,0 +1,58 @@
+package org.joychou.controller;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+
+@Controller
+public class Login {
+
+    protected final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+    @RequestMapping("/login")
+    public String login() {
+        return "login";
+    }
+
+    @GetMapping("/logout")
+    public String logoutPage (HttpServletRequest request, HttpServletResponse response) {
+
+        String username = request.getUserPrincipal().getName();
+
+        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+        if (auth != null) {
+            new SecurityContextLogoutHandler().logout(request, response, auth);
+        }
+
+        String[] deleteCookieKey = {"JSESSIONID", "remember-me"}; // delete cookie
+        for (String key : deleteCookieKey) {
+            Cookie cookie = new Cookie(key, null);
+            cookie.setMaxAge(0);
+            cookie.setPath("/");
+            response.addCookie(cookie);
+        }
+
+        if (null == request.getUserPrincipal()) {
+            logger.info("User " + username + " logout successfully.");
+        } else {
+            logger.info("User " + username + " logout failed. Please try again.");
+        }
+
+        return "redirect:/login?logout";
+    }
+
+    @RequestMapping("/")
+    public String redirect() {
+        return "redirect:/index";
+    }
+}

src/main/java/org/joychou/controller/jsonp/JSONP.java

@@ -7,7 +7,9 @@
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-
+import java.security.Principal;
+import java.util.HashMap;
+import java.util.Map;
 
 
 /**
@@ -19,20 +21,30 @@
 @RequestMapping("/jsonp")
 public class JSONP {
 
-    private static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}";
     private static String[] urlwhitelist = {"joychou.com", "joychou.org"};
 
 
+    // get current login username
+    public static String getUserInfo(HttpServletRequest request) {
+        Principal principal = request.getUserPrincipal();
+
+        String username = principal.getName();
+
+        Map m = new HashMap();
+        m.put("Username", username);
+
+        return JSON.toJSONString(m);
+    }
     /**
      * Set the response content-type to application/javascript.
      *
      * http://localhost:8080/jsonp/referer?callback=test
      *
      */
     @RequestMapping(value = "/referer", produces = "application/javascript")
-    private static String referer(HttpServletRequest request, HttpServletResponse response) {
+    private String referer(HttpServletRequest request, HttpServletResponse response) {
         String callback = request.getParameter("callback");
-        return callback + "(" + info + ")";
+        return callback + "(" + getUserInfo(request) + ")";
     }
 
     /**
@@ -43,15 +55,15 @@ private static String referer(HttpServletRequest request, HttpServletResponse re
      *
      */
     @RequestMapping(value = "/emptyReferer", produces = "application/javascript")
-    private static String emptyReferer(HttpServletRequest request, HttpServletResponse response) {
+    private String emptyReferer(HttpServletRequest request, HttpServletResponse response) {
         String referer = request.getHeader("referer");
 
         if (null != referer && !SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) {
             return "error";
         }
 
         String callback = request.getParameter("callback");
-        return callback + "(" + info + ")";
+        return callback + "(" + getUserInfo(request) + ")";
     }
 
     /**
@@ -63,8 +75,8 @@ private static String emptyReferer(HttpServletRequest request, HttpServletRespon
      *         Such as JSONOjbect or JavaBean. String type cannot be used.
      */
     @RequestMapping(value = "/advice", produces = MediaType.APPLICATION_JSON_VALUE)
-    public JSONObject advice() {
-        return JSON.parseObject(info);
+    public JSONObject advice(HttpServletRequest request) {
+        return JSON.parseObject(getUserInfo(request));
 
     }
 
@@ -73,15 +85,15 @@ public JSONObject advice() {
      * http://localhost:8080/jsonp/sec?callback=test
      */
     @RequestMapping(value = "/sec", produces = "application/javascript")
-    private static String safecode(HttpServletRequest request, HttpServletResponse response) {
+    private String safecode(HttpServletRequest request, HttpServletResponse response) {
         String referer = request.getHeader("referer");
 
         if (!SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) {
             return "error";
         }
 
         String callback = request.getParameter("callback");
-        return callback + "(" + info + ")";
+        return callback + "(" + getUserInfo(request) + ")";
     }
 
 

src/main/java/org/joychou/security/AntObjectInputStream.java

@@ -13,7 +13,7 @@
  */
 public class AntObjectInputStream extends ObjectInputStream {
 
-    private final Logger logger= LoggerFactory.getLogger(AntObjectInputStream.class);
+    protected final Logger logger= LoggerFactory.getLogger(AntObjectInputStream.class);
 
     public AntObjectInputStream(InputStream inputStream) throws IOException {
         super(inputStream);

src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java

@@ -19,7 +19,7 @@
  */
 public class CsrfAccessDeniedHandler implements AccessDeniedHandler {
 
-    private final Logger logger= LoggerFactory.getLogger(CsrfAccessDeniedHandler.class);
+    protected final Logger logger= LoggerFactory.getLogger(this.getClass());
 
     @Override
     public void handle(HttpServletRequest request, HttpServletResponse response,

src/main/java/org/joychou/security/LoginFailureHandler.java

@@ -0,0 +1,32 @@
+package org.joychou.security;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.MediaType;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+
+
+public class LoginFailureHandler implements AuthenticationFailureHandler {
+
+    protected final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+    @Override
+    public void onAuthenticationFailure(HttpServletRequest request,
+                                        HttpServletResponse response, AuthenticationException exception)
+                                        throws ServletException, IOException {
+
+        logger.info("Login failed. " + request.getRequestURL() +
+                " username: " + request.getParameter("username") +
+                " password: " + request.getParameter("password") );
+
+        response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+        response.getWriter().write("{\"code\":0, \"message\":\"Login failed.\"}");
+    }
+
+}