漏洞条件:
请求json参数不是接收参数的javabean及其父类中的任意属性。
解决方案:
增加反序列化配置方案
package com.example.demo.config;
import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.boot.autoconfigure.http.HttpMessageConverters;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
@Configuration
public class JacksonConverters {
@Bean
public HttpMessageConverters JacksonHttpMessageConverters() {
MappingJackson2HttpMessageConverter mappingJackson2HttpMessageConverter
= new MappingJackson2HttpMessageConverter();
ObjectMapper objectMapper = new ObjectMapper();
//省略其他配置开始
//反序列化的时候如果多了其他属性,抛出异常
objectMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, true);
mappingJackson2HttpMessageConverter.setObjectMapper(objectMapper);
//省略其他配置结束
return new HttpMessageConverters(mappingJackson2HttpMessageConverter);
}
}
执行结果:拦截成功
————————————————
版权声明:本文为CSDN博主「进击的西红柿丶」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/qq_41835151/article/details/127538276
本站声明:内容源自https://blog.csdn.net/qq_41835151/article/details/127538276()
下一篇:Vue的生命周期讲解图