我最近在我的雇主的一个基于
Spring的
Java应用程序中实现了一些安全性改进,并且我已经覆盖了Spring Security的AbstractUserDetailsAuthenticationProvider类,以便围绕用户身份验证做一些额外的处理.在此过程中,我意识到DefaultPreAuthenticationChecks内部类在身份验证提供程序运行通过验证密码的additionalAuthenticationChecks方法之前执行用户帐户检查.如果用户被禁用,过期或锁定,将引发异常,因此相关消息将显示在屏幕上.对我来说,在成功验证密码之前检查用户帐户并提供此帐户的详细信息是一种明显的安全风险,因为它可能会暴露用户帐户是否存在.有谁知道Spring Security可能以这种方式做事的一个很好的理由吗?显然,我可以通过使用一个什么都不做的检查方法创建我自己的虚拟类来覆盖DefaultPreAuthenticationChecks类,但遗憾的是,这必须首先完成.
提前致谢.
附:我在相关的注释here上找到了一个问题,但似乎没有人问这个潜在的安全漏洞存在的原因.
我想我在聚会上有点迟了,但万一有人还在想,社区实际上已经有
discussed this issue before了
引自开发者的话
Luke Taylor said:
This isn’t the case. It’s up to you what failure message you show to
the user when a login fails – there’s nothing to stop you saying
“login failed” regardless of the cause. It’s also not uncommon for
applications to inform a user that their account has been locked after
a fixed number of login attempts. The desired behaviour will depend on
exactly how you interpret the different status flags (which is not
strictly defined by the framework). The exceptions also drive the
generation of events by the AuthenticationManager,so they are not
necessarily there for user consumption at all. A sysadmin may want to
be informed anytime someone is trying to use a locked or disabled
account,for example,not just when they use the correct password.
It can also be argued that checking the password before the account
locked status and showing a “locked” message only when a correct
password is given would also allow brute-force password checking even
after the account has been locked.
So I disagree that the behaviour is “incorrect”. I think it might be
useful to be able to customize things though. Perhaps we should have
methods
preAuthenticationChecks(UserDetails user)
postAuthentication(UserDetails user)
which could be overridden to alter when the differed flags are
checked.
tl; dr:社区已经意识到这个问题,但他们并不认为这是一个潜在的安全漏洞,相反他们认为这取决于“你如何解释不同的状态标志”,是的,很容易改变默认行为使用setPostAuthenticationChecks(UserDetailsChecker postAuthenticationChecks)和setPreAuthenticationChecks(UserDetailsChecker preAuthenticationChecks)
