一,druid数据库连接池的功能?
1,Druid是阿里巴巴开发的号称为监控而生的数据库连接池
它的优点包括:
可以监控数据库访问性能
SQL执行日志
SQL防火墙
2,druid的官方站:
https://github.com/alibaba/druid/
说明:刘宏缔的架构森林是一个专注架构的博客,地址:https://www.cnblogs.com/architectforest
对应的源码可以访问这里获取: https://github.com/liuhongdi/
说明:作者:刘宏缔 邮箱: 371125307@qq.com
二,演示项目的相关信息:
1,项目地址:
https://github.com/liuhongdi/druid
2, 项目功能说明:
为druid配置log4j2作为日志记录工具,
演示mybatis代码中#和$变量的区别
3, 项目结构:如图:
三,配置文件说明
1,pom.xml
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> <exclusions> <exclusion> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-logging</artifactId> </exclusion> </exclusions> </dependency> <!--druid begin--> <dependency> <groupId>com.alibaba</groupId> <artifactId>druid-spring-boot-starter</artifactId> <version>1.1.23</version> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-log4j2</artifactId> </dependency> <dependency> <groupId>com.lmax</groupId> <artifactId>disruptor</artifactId> <version>3.4.2</version> </dependency> <!--druid end--> <!--mybatis begin--> <dependency> <groupId>org.mybatis.spring.boot</groupId> <artifactId>mybatis-spring-boot-starter</artifactId> <version>2.1.3</version> </dependency> <!--mybatis end--> <!--mysql begin--> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <scope>runtime</scope> </dependency> <!--mysql end--> <!--pagehelper begin--> <dependency> <groupId>com.github.pagehelper</groupId> <artifactId>pagehelper-spring-boot-starter</artifactId> <version>1.2.13</version> </dependency> <!--pagehelper end-->
说明:关闭了spring-boot-starter-web自带的log功能,
用druid-spring-boot-starter引入druid,
disruptor这个依赖也需要引入,是log4j2使用异步日志中必需的
2,application.properties
#error server.error.include-stacktrace=always #error logging.level.org.springframework.web=trace # 数据源基本配置 spring.datasource.username = root spring.datasource.password = lhddemo spring.datasource.driver-class-name = com.mysql.cj.jdbc.Driver spring.datasource.url = jdbc:mysql://127.0.0.1:3306/store?serverTimezone=UTC spring.datasource.type = com.alibaba.druid.pool.DruidDataSource # Druid数据源配置 spring.datasource.druid.initialSize = 5 spring.datasource.druid.minIdle = 5 spring.datasource.druid.maxActive = 20 spring.datasource.druid.maxWait = 60000 spring.datasource.druid.timeBetweenEvictionRunsMillis = 60000 spring.datasource.druid.minEvictableIdleTimeMillis = 300000 spring.datasource.druid.validationQuery = SELECT 1 FROM DUAL spring.datasource.druid.testWhileIdle = true spring.datasource.druid.testOnBorrow = false spring.datasource.druid.testOnReturn = false spring.datasource.druid.poolPreparedStatements = true # 配置监控统计拦截的filters,去掉后监控界面sql无法统计,'wall'用于防火墙 spring.datasource.druid.filters = stat,wall,log4j2 spring.datasource.druid.maxPoolPreparedStatementPerConnectionSize = 20 spring.datasource.druid.useGlobalDataSourceStat = true spring.datasource.druid.connectionProperties = druid.stat.mergeSql=true;druid.stat.slowSqlMillis=500 #druid sql firewall monitor spring.datasource.druid.filter.wall.enabled=true #druid sql monitor spring.datasource.druid.filter.stat.enabled=true spring.datasource.druid.filter.stat.log-slow-sql=true spring.datasource.druid.filter.stat.slow-sql-millis=10000 spring.datasource.druid.filter.stat.merge-sql=true #druid uri monitor spring.datasource.druid.web-stat-filter.enabled=true spring.datasource.druid.web-stat-filter.url-pattern=/* spring.datasource.druid.web-stat-filter.exclusions=*.js,*.gif,*.jpg,*.bmp,*.png,*.css,*.ico,/druid/* #druid session monitor spring.datasource.druid.web-stat-filter.session-stat-enable=true spring.datasource.druid.web-stat-filter.profile-enable=true #druid spring monitor spring.datasource.druid.aop-patterns=com.druid.* #druid login user config spring.datasource.druid.stat-view-servlet.login-username=root spring.datasource.druid.stat-view-servlet.login-password=root #monintor spring.datasource.druid.stat-view-servlet.enabled=true #spring.datasource.druid.stat-view-servlet.url-pattern="/druid/*" #mybatis mybatis.mapper-locations=classpath:/mapper/*Mapper.xml mybatis.type-aliases-package=com.example.demo.mapper mybatis.configuration.log-impl=org.apache.ibatis.logging.stdout.StdOutImpl logging.config = classpath:log4j2.xml
说明:除了druid的配置,指定了log的配置文件为: log4j2.xml
如果需要查看监控界面,需要设置以下一项:
spring.datasource.druid.stat-view-servlet.enabled=true
大家如果在生产环境中,可以设置它为false,只查看日志文件
使用log4j2日志时,注意spring.datasource.druid.filters 设置为 stat,wall,log4j2
3,log4j2.xml
<?xml version="1.0" encoding="UTF-8"?> <configuration status="OFF"> <appenders> <Console name="Console" target="SYSTEM_OUT"> <ThresholdFilter level="DEBUG" onMatch="ACCEPT" onMismatch="DENY"/> <PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] [%file:%line] %-5level %logger{35} - %msg %n"/> </Console> <!--处理INFO级别的日志,写入到logs/info.log文件--> <RollingFile name="RollingFileInfo" fileName="./logs/info.log" filePattern="logs/$${date:yyyy-MM}/info-%d{yyyy-MM-dd}-%i.log.gz"> <Filters> <ThresholdFilter level="INFO"/> <ThresholdFilter level="WARN" onMatch="DENY" onMismatch="NEUTRAL"/> </Filters> <PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] [%file:%line] %-5level %logger{35} - %msg %n"/> <Policies> <SizeBasedTriggeringPolicy size="500 MB"/> <TimeBasedTriggeringPolicy/> </Policies> </RollingFile> <!--处理WARN级别的日志,写入到logs/warn.log文件--> <RollingFile name="RollingFileWarn" fileName="./logs/warn.log" filePattern="logs/$${date:yyyy-MM}/warn-%d{yyyy-MM-dd}-%i.log.gz"> <Filters> <ThresholdFilter level="WARN"/> <ThresholdFilter level="ERROR" onMatch="DENY" onMismatch="NEUTRAL"/> </Filters> <PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] [%file:%line] %-5level %logger{35} - %msg %n"/> <Policies> <SizeBasedTriggeringPolicy size="500 MB"/> <TimeBasedTriggeringPolicy/> </Policies> </RollingFile> <!--处理error级别的日志,写入到logs/error.log文件--> <RollingFile name="RollingFileError" fileName="./logs/error.log" filePattern="logs/$${date:yyyy-MM}/error-%d{yyyy-MM-dd}-%i.log.gz"> <ThresholdFilter level="ERROR"/> <PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] [%file:%line] %-5level %logger{35} - %msg %n"/> <Policies> <SizeBasedTriggeringPolicy size="500 MB"/> <TimeBasedTriggeringPolicy/> </Policies> </RollingFile> <!--druid的日志记录追加器--> <RollingFile name="druidSqlRollingFile" fileName="./logs/druid-sql.log" filePattern="logs/$${date:yyyy-MM}/api-%d{yyyy-MM-dd}-%i.log.gz"> <PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] [%file:%line] %-5level %logger{35} - %msg %n"/> <Policies> <SizeBasedTriggeringPolicy size="500 MB"/> <TimeBasedTriggeringPolicy/> </Policies> </RollingFile> </appenders> <loggers> <AsyncRoot level="info"> <appender-ref ref="Console"/> <appender-ref ref="RollingFileInfo"/> <appender-ref ref="RollingFileWarn"/> <appender-ref ref="RollingFileError"/> </AsyncRoot> <!--记录druid-sql的记录--> <AsyncLogger name="druid.sql.Statement" level="debug" additivity="false"> <appender-ref ref="druidSqlRollingFile"/> </AsyncLogger> </loggers> </configuration>
说明:这里只是举例,直接把日志放到了当前目录,生产环境中建议为日志配置专门的目录
4,数据表的结构:
CREATE TABLE `user` ( `userId` int(11) NOT NULL AUTO_INCREMENT COMMENT 'id', `username` varchar(200) NOT NULL DEFAULT '' COMMENT 'name', `password` varchar(100) NOT NULL DEFAULT '' COMMENT 'pass', PRIMARY KEY (`userId`), UNIQUE KEY `username` (`username`) ) ENGINE=InnoDB AUTO_INCREMENT=0 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci COMMENT='user'
四,java代码说明:
1,UserController.java
@RestController @RequestMapping("/user") public class UserController { @Resource private UserService userService; //mybatis使用#变量 @GetMapping("/login") public Object login(@RequestParam("username") String username, @RequestParam("password") String password ) { User userOne = userService.getOneUserByUsernamePassword(username,password); if (userOne == null) { System.out.println("user is null"); } return userOne; } //mybatis使用$变量 @GetMapping("/login2") public Object login2(@RequestParam("username") String username, @RequestParam("password") String password ) { User userOne = userService.getOneUserByUsernamePassword2(username,password); if (userOne == null) { System.out.println("user is null"); } return userOne; } }
说明:mybatis在mapper文件中,如果使用$时,属于拼接sql语句,有sql注入的危险,
我们用来检测druid的sql注入检测是否生效
2,UserServiceImpl.java
@Service public class UserServiceImpl implements UserService { @Resource private UserMapper userMapper; //mybatis使用#变量 @Override public User getOneUserByUsernamePassword(String username,String password) { User userOne = userMapper.selectOneUserByUsernamePassword(username,password); System.out.println(userOne); return userOne; } //mybatis使用$变量 @Override public User getOneUserByUsernamePassword2(String username,String password) { User userOne = userMapper.selectOneUserByUsernamePassword2(username,password); System.out.println(userOne); return userOne; } }
3,UserMapper.xml
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd"> <mapper namespace="com.druid.demo.mapper.UserMapper"> <select id="selectOneUserByUsernamePassword" parameterType="String" resultType="com.druid.demo.pojo.User"> select * from user where username=#{username} and password=#{password} </select> <select id="selectOneUserByUsernamePassword2" parameterType="String" resultType="com.druid.demo.pojo.User"> select * from user where username=${username} and password=${password} </select> </mapper>
4,User.java
public class User { //用户id private String userId; public String getUserId() { return userId; } //用户名 private String username; public String getUsername() { return this.username; } public void setUsername(String username) { this.username = username; } }
五,测试效果
1,打开druid监控界面:
http://127.0.0.1:8080/druid/login.html
输入我们在配置文件中的定义的用户和密码 root/root
登录后可以看到druid的界面:
2,测试sql的注入,检查druid的防火墙效果
http://127.0.0.1:8080/user/login?username=1&password=2 or 1=1 limit 1
返回为空,
查看控制台:
==> Preparing: select * from user where username=? and password=?
==> Parameters: 1(String), 2 or 1=1 limit 1(String)
<== Total: 0
可见在mybatis使用#我们输入的注入语句也被作为参数的一部分,
因为mybatis把输入的内容解析为一个 JDBC 预编译语句(prepared statement)的参数标记符,
一个 #{ } 被解析为一个参数占位符,
所以注入是失败的
访问:
http://127.0.0.1:8080/user/login2?username=1&password=2 or 1=1 limit 1
返回:
mybatis在使用$时,是通过拼接字符串来构造sql,
可见我们的sql注入已生效,但因为druid的防火墙机制,导致抛出 sql injection violation
说明druid的防sql注入防火墙是有效的
3,测试过sql注入后,再查看druid中的防火墙页面:
我们使用的注入sql已被添加到了黑名单
六,查看spring boot的版本:
. ____ _ __ _ _ /\ / ___'_ __ _ _(_)_ __ __ _ ( ( )\___ | '_ | '_| | '_ / _` | \/ ___)| |_)| | | | | || (_| | ) ) ) ) ' |____| .__|_| |_|_| |_\__, | / / / / =========|_|==============|___/=/_/_/_/ :: Spring Boot :: (v2.3.2.RELEASE)