一,druid數據庫連接池的功能?
1,Druid是阿里巴巴開發的號稱為監控而生的數據庫連接池
它的優點包括:
可以監控數據庫訪問性能
SQL執行日志
SQL防火牆
2,druid的官方站:
https://github.com/alibaba/druid/
說明:劉宏締的架構森林是一個專注架構的博客,地址:https://www.cnblogs.com/architectforest
對應的源碼可以訪問這里獲取: https://github.com/liuhongdi/
說明:作者:劉宏締 郵箱: 371125307@qq.com
二,演示項目的相關信息:
1,項目地址:
https://github.com/liuhongdi/druid
2, 項目功能說明:
為druid配置log4j2作為日志記錄工具,
演示mybatis代碼中#和$變量的區別
3, 項目結構:如圖:
三,配置文件說明
1,pom.xml
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> <exclusions> <exclusion> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-logging</artifactId> </exclusion> </exclusions> </dependency> <!--druid begin--> <dependency> <groupId>com.alibaba</groupId> <artifactId>druid-spring-boot-starter</artifactId> <version>1.1.23</version> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-log4j2</artifactId> </dependency> <dependency> <groupId>com.lmax</groupId> <artifactId>disruptor</artifactId> <version>3.4.2</version> </dependency> <!--druid end--> <!--mybatis begin--> <dependency> <groupId>org.mybatis.spring.boot</groupId> <artifactId>mybatis-spring-boot-starter</artifactId> <version>2.1.3</version> </dependency> <!--mybatis end--> <!--mysql begin--> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <scope>runtime</scope> </dependency> <!--mysql end--> <!--pagehelper begin--> <dependency> <groupId>com.github.pagehelper</groupId> <artifactId>pagehelper-spring-boot-starter</artifactId> <version>1.2.13</version> </dependency> <!--pagehelper end-->
說明:關閉了spring-boot-starter-web自帶的log功能,
用druid-spring-boot-starter引入druid,
disruptor這個依賴也需要引入,是log4j2使用異步日志中必需的
2,application.properties
#error server.error.include-stacktrace=always #error logging.level.org.springframework.web=trace # 數據源基本配置 spring.datasource.username = root spring.datasource.password = lhddemo spring.datasource.driver-class-name = com.mysql.cj.jdbc.Driver spring.datasource.url = jdbc:mysql://127.0.0.1:3306/store?serverTimezone=UTC spring.datasource.type = com.alibaba.druid.pool.DruidDataSource # Druid數據源配置 spring.datasource.druid.initialSize = 5 spring.datasource.druid.minIdle = 5 spring.datasource.druid.maxActive = 20 spring.datasource.druid.maxWait = 60000 spring.datasource.druid.timeBetweenEvictionRunsMillis = 60000 spring.datasource.druid.minEvictableIdleTimeMillis = 300000 spring.datasource.druid.validationQuery = SELECT 1 FROM DUAL spring.datasource.druid.testWhileIdle = true spring.datasource.druid.testOnBorrow = false spring.datasource.druid.testOnReturn = false spring.datasource.druid.poolPreparedStatements = true # 配置監控統計攔截的filters,去掉后監控界面sql無法統計,'wall'用於防火牆 spring.datasource.druid.filters = stat,wall,log4j2 spring.datasource.druid.maxPoolPreparedStatementPerConnectionSize = 20 spring.datasource.druid.useGlobalDataSourceStat = true spring.datasource.druid.connectionProperties = druid.stat.mergeSql=true;druid.stat.slowSqlMillis=500 #druid sql firewall monitor spring.datasource.druid.filter.wall.enabled=true #druid sql monitor spring.datasource.druid.filter.stat.enabled=true spring.datasource.druid.filter.stat.log-slow-sql=true spring.datasource.druid.filter.stat.slow-sql-millis=10000 spring.datasource.druid.filter.stat.merge-sql=true #druid uri monitor spring.datasource.druid.web-stat-filter.enabled=true spring.datasource.druid.web-stat-filter.url-pattern=/* spring.datasource.druid.web-stat-filter.exclusions=*.js,*.gif,*.jpg,*.bmp,*.png,*.css,*.ico,/druid/* #druid session monitor spring.datasource.druid.web-stat-filter.session-stat-enable=true spring.datasource.druid.web-stat-filter.profile-enable=true #druid spring monitor spring.datasource.druid.aop-patterns=com.druid.* #druid login user config spring.datasource.druid.stat-view-servlet.login-username=root spring.datasource.druid.stat-view-servlet.login-password=root #monintor spring.datasource.druid.stat-view-servlet.enabled=true #spring.datasource.druid.stat-view-servlet.url-pattern="/druid/*" #mybatis mybatis.mapper-locations=classpath:/mapper/*Mapper.xml mybatis.type-aliases-package=com.example.demo.mapper mybatis.configuration.log-impl=org.apache.ibatis.logging.stdout.StdOutImpl logging.config = classpath:log4j2.xml
說明:除了druid的配置,指定了log的配置文件為: log4j2.xml
如果需要查看監控界面,需要設置以下一項:
spring.datasource.druid.stat-view-servlet.enabled=true
大家如果在生產環境中,可以設置它為false,只查看日志文件
使用log4j2日志時,注意spring.datasource.druid.filters 設置為 stat,wall,log4j2
3,log4j2.xml
<?xml version="1.0" encoding="UTF-8"?> <configuration status="OFF"> <appenders> <Console name="Console" target="SYSTEM_OUT"> <ThresholdFilter level="DEBUG" onMatch="ACCEPT" onMismatch="DENY"/> <PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] [%file:%line] %-5level %logger{35} - %msg %n"/> </Console> <!--處理INFO級別的日志,寫入到logs/info.log文件--> <RollingFile name="RollingFileInfo" fileName="./logs/info.log" filePattern="logs/$${date:yyyy-MM}/info-%d{yyyy-MM-dd}-%i.log.gz"> <Filters> <ThresholdFilter level="INFO"/> <ThresholdFilter level="WARN" onMatch="DENY" onMismatch="NEUTRAL"/> </Filters> <PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] [%file:%line] %-5level %logger{35} - %msg %n"/> <Policies> <SizeBasedTriggeringPolicy size="500 MB"/> <TimeBasedTriggeringPolicy/> </Policies> </RollingFile> <!--處理WARN級別的日志,寫入到logs/warn.log文件--> <RollingFile name="RollingFileWarn" fileName="./logs/warn.log" filePattern="logs/$${date:yyyy-MM}/warn-%d{yyyy-MM-dd}-%i.log.gz"> <Filters> <ThresholdFilter level="WARN"/> <ThresholdFilter level="ERROR" onMatch="DENY" onMismatch="NEUTRAL"/> </Filters> <PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] [%file:%line] %-5level %logger{35} - %msg %n"/> <Policies> <SizeBasedTriggeringPolicy size="500 MB"/> <TimeBasedTriggeringPolicy/> </Policies> </RollingFile> <!--處理error級別的日志,寫入到logs/error.log文件--> <RollingFile name="RollingFileError" fileName="./logs/error.log" filePattern="logs/$${date:yyyy-MM}/error-%d{yyyy-MM-dd}-%i.log.gz"> <ThresholdFilter level="ERROR"/> <PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] [%file:%line] %-5level %logger{35} - %msg %n"/> <Policies> <SizeBasedTriggeringPolicy size="500 MB"/> <TimeBasedTriggeringPolicy/> </Policies> </RollingFile> <!--druid的日志記錄追加器--> <RollingFile name="druidSqlRollingFile" fileName="./logs/druid-sql.log" filePattern="logs/$${date:yyyy-MM}/api-%d{yyyy-MM-dd}-%i.log.gz"> <PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] [%file:%line] %-5level %logger{35} - %msg %n"/> <Policies> <SizeBasedTriggeringPolicy size="500 MB"/> <TimeBasedTriggeringPolicy/> </Policies> </RollingFile> </appenders> <loggers> <AsyncRoot level="info"> <appender-ref ref="Console"/> <appender-ref ref="RollingFileInfo"/> <appender-ref ref="RollingFileWarn"/> <appender-ref ref="RollingFileError"/> </AsyncRoot> <!--記錄druid-sql的記錄--> <AsyncLogger name="druid.sql.Statement" level="debug" additivity="false"> <appender-ref ref="druidSqlRollingFile"/> </AsyncLogger> </loggers> </configuration>
說明:這里只是舉例,直接把日志放到了當前目錄,生產環境中建議為日志配置專門的目錄
4,數據表的結構:
CREATE TABLE `user` ( `userId` int(11) NOT NULL AUTO_INCREMENT COMMENT 'id', `username` varchar(200) NOT NULL DEFAULT '' COMMENT 'name', `password` varchar(100) NOT NULL DEFAULT '' COMMENT 'pass', PRIMARY KEY (`userId`), UNIQUE KEY `username` (`username`) ) ENGINE=InnoDB AUTO_INCREMENT=0 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci COMMENT='user'
四,java代碼說明:
1,UserController.java
@RestController @RequestMapping("/user") public class UserController { @Resource private UserService userService; //mybatis使用#變量 @GetMapping("/login") public Object login(@RequestParam("username") String username, @RequestParam("password") String password ) { User userOne = userService.getOneUserByUsernamePassword(username,password); if (userOne == null) { System.out.println("user is null"); } return userOne; } //mybatis使用$變量 @GetMapping("/login2") public Object login2(@RequestParam("username") String username, @RequestParam("password") String password ) { User userOne = userService.getOneUserByUsernamePassword2(username,password); if (userOne == null) { System.out.println("user is null"); } return userOne; } }
說明:mybatis在mapper文件中,如果使用$時,屬於拼接sql語句,有sql注入的危險,
我們用來檢測druid的sql注入檢測是否生效
2,UserServiceImpl.java
@Service public class UserServiceImpl implements UserService { @Resource private UserMapper userMapper; //mybatis使用#變量 @Override public User getOneUserByUsernamePassword(String username,String password) { User userOne = userMapper.selectOneUserByUsernamePassword(username,password); System.out.println(userOne); return userOne; } //mybatis使用$變量 @Override public User getOneUserByUsernamePassword2(String username,String password) { User userOne = userMapper.selectOneUserByUsernamePassword2(username,password); System.out.println(userOne); return userOne; } }
3,UserMapper.xml
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd"> <mapper namespace="com.druid.demo.mapper.UserMapper"> <select id="selectOneUserByUsernamePassword" parameterType="String" resultType="com.druid.demo.pojo.User"> select * from user where username=#{username} and password=#{password} </select> <select id="selectOneUserByUsernamePassword2" parameterType="String" resultType="com.druid.demo.pojo.User"> select * from user where username=${username} and password=${password} </select> </mapper>
4,User.java
public class User { //用戶id private String userId; public String getUserId() { return userId; } //用戶名 private String username; public String getUsername() { return this.username; } public void setUsername(String username) { this.username = username; } }
五,測試效果
1,打開druid監控界面:
http://127.0.0.1:8080/druid/login.html
輸入我們在配置文件中的定義的用戶和密碼 root/root
登錄后可以看到druid的界面:
2,測試sql的注入,檢查druid的防火牆效果
http://127.0.0.1:8080/user/login?username=1&password=2 or 1=1 limit 1
返回為空,
查看控制台:
==> Preparing: select * from user where username=? and password=?
==> Parameters: 1(String), 2 or 1=1 limit 1(String)
<== Total: 0
可見在mybatis使用#我們輸入的注入語句也被作為參數的一部分,
因為mybatis把輸入的內容解析為一個 JDBC 預編譯語句(prepared statement)的參數標記符,
一個 #{ } 被解析為一個參數占位符,
所以注入是失敗的
訪問:
http://127.0.0.1:8080/user/login2?username=1&password=2 or 1=1 limit 1
返回:
mybatis在使用$時,是通過拼接字符串來構造sql,
可見我們的sql注入已生效,但因為druid的防火牆機制,導致拋出 sql injection violation
說明druid的防sql注入防火牆是有效的
3,測試過sql注入后,再查看druid中的防火牆頁面:
我們使用的注入sql已被添加到了黑名單
六,查看spring boot的版本:
. ____ _ __ _ _ /\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \ ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \ \\/ ___)| |_)| | | | | || (_| | ) ) ) ) ' |____| .__|_| |_|_| |_\__, | / / / / =========|_|==============|___/=/_/_/_/ :: Spring Boot :: (v2.3.2.RELEASE)