Java 安全最佳实践 2026构建安全的应用程序别叫我大神叫我 Alex 就好。今天我们来聊聊 Java 安全最佳实践这是每个开发者都必须重视的话题。一、为什么安全如此重要在当今的互联网环境中安全威胁无处不在。从 SQL 注入到 XSS 攻击从敏感数据泄露到身份认证绕过安全问题可能导致严重的后果用户数据泄露财务损失品牌声誉受损法律责任作为 Java 开发者我们有责任确保应用程序的安全性。二、输入验证与净化1. 防止 SQL 注入SQL 注入是最常见的安全漏洞之一。使用参数化查询是最佳防护手段// 错误的写法 - 存在 SQL 注入风险 public User findUserByUsernameUnsafe(String username) { String sql SELECT * FROM users WHERE username username ; return jdbcTemplate.queryForObject(sql, User.class); } // 正确的写法 - 使用参数化查询 public User findUserByUsernameSafe(String username) { String sql SELECT * FROM users WHERE username ?; return jdbcTemplate.queryForObject(sql, User.class, username); } // 使用 JPA 的命名参数 Query(SELECT u FROM User u WHERE u.username :username) User findByUsername(Param(username) String username);2. 防止 XSS 攻击XSS跨站脚本攻击可以通过净化用户输入来防范Component public class XssFilter { private static final Pattern SCRIPT_PATTERN Pattern.compile( script[^]*[\\s\\S]*?/script, Pattern.CASE_INSENSITIVE ); public String sanitize(String input) { if (input null) { return null; } // 移除 script 标签 String cleaned SCRIPT_PATTERN.matcher(input).replaceAll(); // HTML 实体编码 cleaned cleaned .replace(, amp;) .replace(, lt;) .replace(, gt;) .replace(\, quot;) .replace(, #x27;) .replace(/, #x2F;); return cleaned; } } // 使用 OWASP Java HTML Sanitizer public String sanitizeWithOwasp(String input) { PolicyFactory policy Sanitizers.FORMATTING.and(Sanitizers.LINKS); return policy.sanitize(input); }3. 文件上传安全文件上传功能需要特别注意安全问题Service public class SecureFileUploadService { private static final SetString ALLOWED_EXTENSIONS Set.of( jpg, jpeg, png, gif, pdf, doc, docx ); private static final long MAX_FILE_SIZE 10 * 1024 * 1024; // 10MB public String uploadFile(MultipartFile file) throws IOException { // 1. 验证文件大小 if (file.getSize() MAX_FILE_SIZE) { throw new FileUploadException(File size exceeds limit); } // 2. 验证文件扩展名 String originalFilename file.getOriginalFilename(); String extension getFileExtension(originalFilename); if (!ALLOWED_EXTENSIONS.contains(extension.toLowerCase())) { throw new FileUploadException(File type not allowed); } // 3. 验证 MIME 类型 String contentType file.getContentType(); if (!isAllowedContentType(contentType)) { throw new FileUploadException(Content type not allowed); } // 4. 使用安全的文件名 String safeFilename UUID.randomUUID().toString() . extension; // 5. 保存到安全目录 Path uploadPath Paths.get(/secure/uploads).resolve(safeFilename); Files.copy(file.getInputStream(), uploadPath); return safeFilename; } private String getFileExtension(String filename) { int lastDotIndex filename.lastIndexOf(.); return lastDotIndex -1 ? : filename.substring(lastDotIndex 1); } private boolean isAllowedContentType(String contentType) { return contentType ! null ( contentType.startsWith(image/) || contentType.equals(application/pdf) || contentType.equals(application/msword) || contentType.equals(application/vnd.openxmlformats-officedocument.wordprocessingml.document) ); } }三、身份认证与授权1. JWT 安全使用JWTJSON Web Token是现代应用常用的认证方式但需要正确使用Component public class JwtTokenProvider { private final SecretKey secretKey; private final long validityInMilliseconds; public JwtTokenProvider(Value(${jwt.secret}) String secret, Value(${jwt.expiration}) long validityInMilliseconds) { // 使用足够长的密钥至少 256 位 this.secretKey Keys.hmacShaKeyFor(secret.getBytes(StandardCharsets.UTF_8)); this.validityInMilliseconds validityInMilliseconds; } public String createToken(String username, ListString roles) { Date now new Date(); Date validity new Date(now.getTime() validityInMilliseconds); return Jwts.builder() .setSubject(username) .claim(roles, roles) .setIssuedAt(now) .setExpiration(validity) .setId(UUID.randomUUID().toString()) // 添加唯一标识便于令牌撤销 .signWith(secretKey, SignatureAlgorithm.HS256) .compact(); } public boolean validateToken(String token) { try { JwsClaims claims Jwts.parserBuilder() .setSigningKey(secretKey) .build() .parseClaimsJws(token); // 检查令牌是否在撤销列表中 String tokenId claims.getBody().getId(); if (isTokenRevoked(tokenId)) { return false; } return !claims.getBody().getExpiration().before(new Date()); } catch (JwtException | IllegalArgumentException e) { return false; } } private boolean isTokenRevoked(String tokenId) { // 从 Redis 或数据库检查令牌是否被撤销 return false; } }2. Spring Security 配置Configuration EnableWebSecurity EnableMethodSecurity public class SecurityConfig { Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http .csrf(csrf - csrf .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) .ignoringRequestMatchers(/api/public/**) ) .sessionManagement(session - session .sessionCreationPolicy(SessionCreationPolicy.STATELESS) ) .authorizeHttpRequests(auth - auth .requestMatchers(/api/auth/**).permitAll() .requestMatchers(/api/public/**).permitAll() .requestMatchers(/api/admin/**).hasRole(ADMIN) .requestMatchers(/api/user/**).hasAnyRole(USER, ADMIN) .anyRequest().authenticated() ) .addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class) .headers(headers - headers .contentSecurityPolicy(csp - csp .policyDirectives(default-src self; script-src self) ) .frameOptions(frameOptions - frameOptions.deny()) .xssProtection(xss - xss.headerValue(XXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK)) ); return http.build(); } Bean public PasswordEncoder passwordEncoder() { // 使用 BCrypt 进行密码加密 return new BCryptPasswordEncoder(12); } }3. 方法级安全Service public class OrderService { PreAuthorize(hasRole(USER)) public Order createOrder(CreateOrderRequest request) { // 创建订单逻辑 } PreAuthorize(hasRole(ADMIN) or orderSecurity.isOwner(#orderId, authentication.name)) public Order getOrder(Long orderId) { // 获取订单逻辑 } PreAuthorize(hasRole(ADMIN)) PostFilter(hasRole(ADMIN) or filterObject.userId authentication.name) public ListOrder getAllOrders() { // 获取所有订单逻辑 } } Component(orderSecurity) public class OrderSecurity { Autowired private OrderRepository orderRepository; public boolean isOwner(Long orderId, String username) { return orderRepository.findById(orderId) .map(order - order.getUserId().equals(username)) .orElse(false); } }四、敏感数据处理1. 数据加密Component public class EncryptionService { private final SecretKey secretKey; public EncryptionService(Value(${encryption.key}) String key) { this.secretKey Keys.hmacShaKeyFor(key.getBytes(StandardCharsets.UTF_8)); } public String encrypt(String data) { try { Cipher cipher Cipher.getInstance(AES/GCM/NoPadding); byte[] iv new byte[12]; SecureRandom.getInstanceStrong().nextBytes(iv); GCMParameterSpec parameterSpec new GCMParameterSpec(128, iv); cipher.init(Cipher.ENCRYPT_MODE, secretKey, parameterSpec); byte[] encryptedData cipher.doFinal(data.getBytes(StandardCharsets.UTF_8)); // 组合 IV 和加密数据 ByteBuffer byteBuffer ByteBuffer.allocate(iv.length encryptedData.length); byteBuffer.put(iv); byteBuffer.put(encryptedData); return Base64.getEncoder().encodeToString(byteBuffer.array()); } catch (Exception e) { throw new EncryptionException(Encryption failed, e); } } public String decrypt(String encryptedData) { try { byte[] decoded Base64.getDecoder().decode(encryptedData); ByteBuffer byteBuffer ByteBuffer.wrap(decoded); byte[] iv new byte[12]; byteBuffer.get(iv); byte[] cipherText new byte[byteBuffer.remaining()]; byteBuffer.get(cipherText); Cipher cipher Cipher.getInstance(AES/GCM/NoPadding); GCMParameterSpec parameterSpec new GCMParameterSpec(128, iv); cipher.init(Cipher.DECRYPT_MODE, secretKey, parameterSpec); return new String(cipher.doFinal(cipherText), StandardCharsets.UTF_8); } catch (Exception e) { throw new EncryptionException(Decryption failed, e); } } }2. 日志脱敏Component public class SensitiveDataMasker { public String maskEmail(String email) { if (email null || !email.contains()) { return email; } String[] parts email.split(); String localPart parts[0]; String domain parts[1]; String maskedLocal localPart.charAt(0) *.repeat(localPart.length() - 2) localPart.charAt(localPart.length() - 1); return maskedLocal domain; } public String maskPhone(String phone) { if (phone null || phone.length() 7) { return phone; } return phone.substring(0, 3) **** phone.substring(phone.length() - 4); } public String maskCreditCard(String cardNumber) { if (cardNumber null || cardNumber.length() 4) { return cardNumber; } return ****-****-****- cardNumber.substring(cardNumber.length() - 4); } } // 使用示例 Slf4j Service public class UserService { Autowired private SensitiveDataMasker masker; public void logUserInfo(User user) { log.info(User login: email{}, phone{}, masker.maskEmail(user.getEmail()), masker.maskPhone(user.getPhone())); } }五、安全头部配置Configuration public class SecurityHeadersConfig implements WebMvcConfigurer { Bean public FilterRegistrationBeanFilter securityHeadersFilter() { FilterRegistrationBeanFilter registrationBean new FilterRegistrationBean(); registrationBean.setFilter((request, response, chain) - { HttpServletResponse httpResponse (HttpServletResponse) response; // 防止点击劫持 httpResponse.setHeader(X-Frame-Options, DENY); // XSS 保护 httpResponse.setHeader(X-XSS-Protection, 1; modeblock); // 内容类型嗅探保护 httpResponse.setHeader(X-Content-Type-Options, nosniff); // 内容安全策略 httpResponse.setHeader(Content-Security-Policy, default-src self; script-src self; style-src self unsafe-inline); // 引用策略 httpResponse.setHeader(Referrer-Policy, strict-origin-when-cross-origin); // 权限策略 httpResponse.setHeader(Permissions-Policy, geolocation(), microphone(), camera()); // HSTS仅 HTTPS httpResponse.setHeader(Strict-Transport-Security, max-age31536000; includeSubDomains); chain.doFilter(request, response); }); registrationBean.addUrlPatterns(/*); return registrationBean; } }六、安全审计与监控Component public class SecurityAuditService { Autowired private AuditLogRepository auditLogRepository; EventListener public void handleAuthenticationSuccess(AuthenticationSuccessEvent event) { Authentication authentication event.getAuthentication(); logAuditEvent(AUTHENTICATION_SUCCESS, authentication.getName(), User successfully authenticated); } EventListener public void handleAuthenticationFailure(AbstractAuthenticationFailureEvent event) { logAuditEvent(AUTHENTICATION_FAILURE, event.getAuthentication().getName(), Authentication failed: event.getException().getMessage()); } EventListener public void handleAuthorizationFailure(AuthorizationDeniedEvent event) { logAuditEvent(AUTHORIZATION_FAILURE, event.getAuthentication().get().getName(), Access denied to: event.getRequestUri()); } private void logAuditEvent(String eventType, String userId, String description) { AuditLog log AuditLog.builder() .eventType(eventType) .userId(userId) .description(description) .timestamp(LocalDateTime.now()) .ipAddress(getCurrentIpAddress()) .build(); auditLogRepository.save(log); } }七、总结与建议安全是一个持续的过程而不是一次性的任务。以下是一些关键建议保持依赖更新及时更新框架和库修复已知漏洞安全编码培训提高团队的安全意识定期安全审计使用工具进行代码扫描和渗透测试最小权限原则只授予必要的权限安全日志记录记录安全相关事件便于事后分析这其实可以更优雅一点通过建立安全开发流程将安全考虑融入开发的每个阶段我们可以构建出更加安全的应用程序。别叫我大神叫我 Alex 就好。希望这篇文章能帮助你构建更安全的 Java 应用程序。安全无小事让我们一起努力