修改appscan扫描漏洞

backend/src/main/java/com/jiayue/ssi/SsiApplication.java

@@ -1,17 +1,17 @@
 package com.jiayue.ssi;
 
 import com.ulisesbocchio.jasyptspringboot.annotation.EnableEncryptableProperties;
-import org.apache.catalina.Context;
-import org.apache.catalina.connector.Connector;
-import org.apache.tomcat.util.descriptor.web.SecurityCollection;
-import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
+//import org.apache.catalina.Context;
+//import org.apache.catalina.connector.Connector;
+//import org.apache.tomcat.util.descriptor.web.SecurityCollection;
+//import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
 import org.mybatis.spring.annotation.MapperScan;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
-import org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer;
-import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
-import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory;
-import org.springframework.context.annotation.Bean;
+//import org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer;
+//import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
+//import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory;
+//import org.springframework.context.annotation.Bean;
 
 /**
  * TODO

backend/src/main/java/com/jiayue/ssi/config/WebConfig.java

@@ -6,11 +6,17 @@ import com.jiayue.ssi.interceptor.TokenStatusInterceptor;
 import com.jiayue.ssi.service.SysBlacklistService;
 import com.jiayue.ssi.service.SysParameterService;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.web.servlet.ServletContextInitializer;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.web.firewall.HttpFirewall;
+import org.springframework.security.web.firewall.StrictHttpFirewall;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import java.util.Arrays;
 import java.util.List;
 
 /**
@@ -53,4 +59,15 @@ public class WebConfig implements WebMvcConfigurer {
             CacheConstants.blacklistMap.put(sysBlacklist.getIp(),sysBlacklist);
         }
     }
+
+    @Bean
+    public ServletContextInitializer servletContextInitializer() {
+        return new ServletContextInitializer() {
+            @Override
+            public void onStartup(ServletContext servletContext) throws ServletException {
+                // 解决加密会话（SSL）Cookie 中缺少 Secure 属性
+                servletContext.getSessionCookieConfig().setSecure(true);
+            }
+        };
+    }
 }