upload security lab

README.md

@@ -11,6 +11,8 @@ oauth2lab
 5. [Postman](https://www.getpostman.com/)
 6. [Eclipse STS](https://spring.io/tools)
 7. [Android Studio](https://developer.android.com/studio/index.html)
+8. [Firefox Browser](http://rj.baidu.com/soft/detail/10365.html)
+9. [NoRedirect Add on for Firefox](https://addons.mozilla.org/en-US/firefox/addon/noredirect/)
 
 # 实验目录
 1. [lab01](lab01)~授权服务器实验

lab07/README.md

@@ -0,0 +1,38 @@
+跨站点请求伪造(CSRF)安全实验
+======
+
+# 操作方式
+
+### 1. 安装Firefox浏览器和NoRedirect Add on for Firefox
+* [Firefox Browser](http://rj.baidu.com/soft/detail/10365.html)
+* [NoRedirect Add on for Firefox](https://addons.mozilla.org/en-US/firefox/addon/noredirect/)
+
+将`http://localhost:8080`加入NoRedirect设置的规则列表，选中`来源`，并将该规则置顶。
+
+### 2. 启动授权服务器state-oauth2server，端口8080
+
+### 3. 启动Web客户端应用state-client，端口9000
+
+### 4. 使用Firefox浏览器获取授权码
+
+使用黑客账号`attacker/xyz`进行登录认证，注意请求不带**state**
+
+```
+http://localhost:8080/oauth/authorize?client_id=clientapp&redirect_uri=http
+://localhost:9000/resource&response_type=code&scope=read+write
+```
+获取授权码返回链接被NoRedirect截获，复制该链接
+
+```
+http://localhost:9000/resource?code=So3A96
+```
+
+### 5. 使用Chrome浏览器登录`http://loalhost:9000`
+
+使用正常用户账号`bobo/xyz`进行登录认证
+
+在浏览器地址栏粘贴上面复制的授权码返回链接，并请求，Spring Security OAuth2 client会进行state校验并报错：
+
+```
+Possible CSRF detected - state parameter was required but no state could be found
+```

lab07/state-param-security/state-client/.gitignore

@@ -0,0 +1,24 @@
+target/
+!.mvn/wrapper/maven-wrapper.jar
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+
+### NetBeans ###
+nbproject/private/
+build/
+nbbuild/
+dist/
+nbdist/
+.nb-gradle/

lab07/state-param-security/state-client/pom.xml

@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+	<groupId>io.spring2go.oauth2</groupId>
+	<artifactId>state-client</artifactId>
+	<version>0.0.1-SNAPSHOT</version>
+	<packaging>jar</packaging>
+
+	<name>state-client</name>
+	<description>Demo project for Spring Boot</description>
+
+	<parent>
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-starter-parent</artifactId>
+		<version>1.5.10.RELEASE</version>
+		<relativePath/> <!-- lookup parent from repository -->
+	</parent>
+
+	<properties>
+		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+		<java.version>1.8</java.version>
+	</properties>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-thymeleaf</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security.oauth</groupId>
+			<artifactId>spring-security-oauth2</artifactId>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+		</plugins>
+	</build>
+
+
+</project>

lab07/state-param-security/state-client/src/main/java/io/spring2go/oauth2/clientstate/ClientStateApplication.java

@@ -0,0 +1,12 @@
+package io.spring2go.oauth2.clientstate;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class ClientStateApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(ClientStateApplication.class, args);
+	}
+}

lab07/state-param-security/state-client/src/main/java/io/spring2go/oauth2/clientstate/HomeController.java

@@ -0,0 +1,36 @@
+package io.spring2go.oauth2.clientstate;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.oauth2.client.OAuth2RestTemplate;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.servlet.ModelAndView;
+
+@Controller
+public class HomeController {
+
+    @Autowired
+    private OAuth2RestTemplate restTemplate;
+
+    @GetMapping("/")
+    public ModelAndView home() {
+        User user = (User) SecurityContextHolder
+            .getContext().getAuthentication().getPrincipal();
+        ModelAndView mv = new ModelAndView("home");
+        mv.addObject("username", user.getUsername());
+        return mv;
+    }
+
+    @GetMapping("/resource")
+    public ModelAndView resource() {
+        String result = restTemplate
+                .getForObject("http://localhost:8080/api/username", String.class);
+
+        ModelAndView mv = new ModelAndView("resource");
+        mv.addObject("result", result);
+        return mv;
+    }
+
+}

lab07/state-param-security/state-client/src/main/java/io/spring2go/oauth2/clientstate/OAuth2Configuration.java

@@ -0,0 +1,32 @@
+package io.spring2go.oauth2.clientstate;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.oauth2.client.OAuth2ClientContext;
+import org.springframework.security.oauth2.client.OAuth2RestTemplate;
+import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
+import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails;
+import org.springframework.security.oauth2.config.annotation.web.configuration.EnableOAuth2Client;
+
+@Configuration @EnableOAuth2Client
+public class OAuth2Configuration {
+
+    @Bean
+    public OAuth2ProtectedResourceDetails authorizationCode() {
+        AuthorizationCodeResourceDetails details =
+            new AuthorizationCodeResourceDetails();
+        details.setId("oauth2server");
+        details.setClientId("clientapp");
+        details.setClientSecret("112233");
+        details.setUseCurrentUri(true);
+        details.setUserAuthorizationUri("http://localhost:8080/oauth/authorize");
+        details.setAccessTokenUri("http://localhost:8080/oauth/token");
+        return details;
+    }
+
+    @Bean
+    public OAuth2RestTemplate restTemplate(OAuth2ClientContext context) {
+        return new OAuth2RestTemplate(authorizationCode(), context);
+    }
+
+}

lab07/state-param-security/state-client/src/main/resources/application.properties

@@ -0,0 +1,4 @@
+server.port=9000
+server.session.cookie.name=client_session
+security.user.name=bobo
+security.user.password=xyz

lab07/state-param-security/state-client/src/main/resources/templates/home.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml"
+  xmlns:th="http://www.thymeleaf.org">
+<body>
+<div style="border: 3px solid black; width: 30%; padding: 10px">
+    <h1>Hello</h1>
+    <span th:text="${username}"></span>
+    <div>
+        <a th:href="@{/resource}">Get resource</a>
+    </div>
+</div>
+</body>
+</html>

lab07/state-param-security/state-client/src/main/resources/templates/resource.html

@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml"
+  xmlns:th="http://www.thymeleaf.org">
+<body>
+<div style="border: 3px solid black; width: 30%; padding: 10px">
+    <h1>That's the result</h1>
+    <p>result:<span th:text="${result}"></span></p>
+</div>
+</body>
+</html>

lab07/state-param-security/state-oauth2server/.gitignore

@@ -0,0 +1,24 @@
+target/
+!.mvn/wrapper/maven-wrapper.jar
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+
+### NetBeans ###
+nbproject/private/
+build/
+nbbuild/
+dist/
+nbdist/
+.nb-gradle/

lab07/state-param-security/state-oauth2server/pom.xml

@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+	<groupId>io.spring2go.oauth2</groupId>
+	<artifactId>state-oauth2server</artifactId>
+	<version>0.0.1-SNAPSHOT</version>
+	<packaging>jar</packaging>
+
+	<name>state-oauth2server</name>
+	<description>Demo project for Spring Boot</description>
+
+	<parent>
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-starter-parent</artifactId>
+		<version>1.5.10.RELEASE</version>
+		<relativePath/> <!-- lookup parent from repository -->
+	</parent>
+
+	<properties>
+		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+		<java.version>1.8</java.version>
+	</properties>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-data-jpa</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>com.h2database</groupId>
+			<artifactId>h2</artifactId>
+			<scope>runtime</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security.oauth</groupId>
+			<artifactId>spring-security-oauth2</artifactId>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+		</plugins>
+	</build>
+
+
+</project>

lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/ApiController.java

@@ -0,0 +1,18 @@
+package io.spring2go.oauth2.oauth2serverstate;
+
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+@Controller
+public class ApiController {
+
+    @GetMapping("/api/username")
+    public ResponseEntity<String> getUsername() {
+        UserInfo user = (UserInfo) SecurityContextHolder
+            .getContext().getAuthentication().getPrincipal();
+        return ResponseEntity.ok("success " + user.getUsername());
+    }
+
+}

lab07/state-param-security/state-oauth2server/src/main/java/io/spring2go/oauth2/oauth2serverstate/CustomUserDetailsService.java

@@ -0,0 +1,25 @@
+package io.spring2go.oauth2.oauth2serverstate;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.stereotype.Service;
+
+import java.util.Optional;
+
+@Service
+public class CustomUserDetailsService implements UserDetailsService {
+
+    @Autowired
+    private UserInfoRepository repository;
+
+    @Override
+    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
+        Optional<UserInfo> user =
+            repository.findByUsername(username);
+
+        return user.orElseThrow(() ->
+            new UsernameNotFoundException("user does not exists"));
+    }
+}