[0026] Example 1
[0027] The applicant proposes that a plug-in can be deployed on the We application server. The plug-in adds a user information probe to the class that processes http requests, and adds a sql information probe to the class that processes sql statements. The user information probe will be responsible for obtaining user information and business information, the sql information probe is responsible for associating user information, business information and sql statements triggered by the business. The associated sql statement will carry user information and business information. The associated information will appear in the sql statement in the form of a comment in the form of a feature string. Deploy the database audit system to audit the database protocol traffic at the entrance switch of the database server, analyze the characteristic string in it to form a complete sql event associated with user information and business information, and record it in the database audit log. Afterwards, as long as the database audit logs are analyzed, the security incidents can be accurately located and traced to the source, and a variety of business-based analysis reports can be formed on this basis.
[0028] Based on the above ideas, this embodiment provides an association plug-in, which can be applied to a WEB server, and at least includes the following parts.
[0029] The user information probe unit acquires and stores associated information of the service request when the WEB application server receives the service request triggered by the logged-in user, and the associated information includes user information and service information corresponding to the service request;
[0030] The SQL information probe unit, when the WEB application server requests data from the database according to the business request, associates the stored association information of the business request into the SQL statement in the form of comments.
[0031] In practical applications, the above-mentioned association plug-ins can be located in the WEB server to realize data association based on the J2EE platform. At this time, the entire data association system is as follows: figure 1 shown. Among them, an associated plug-in part is added to the WEB application server, and the associated plug-in will be used as a part of the middleware instance and can run in the JVM java virtual machine instance at the same time. The database audit server is deployed on the bypass mirror port of the entrance switch of the database server. Since it is a bypass device, the database audit server will not have any impact on the database server.
[0032] Specifically, the user information probe unit in the association plug-in acquires and stores user information (including at least source IP, user name) and business information (including at least business URL, etc.) when the WEB middleware processes user requests; and the SQL information probe The unit adds the obtained current user information and business information in the comment of the SQL statement in the form of a characteristic string before the WEB application requests data from the database. In this way, when the SQL statement with associated information passes through the switch in the form of a packet, it is sent from the bypass mirror port to the database audit server for processing. The database will automatically ignore the comment part for the SQL sent to the database server, so it will not be processed. No impact on the normal operation of the database. Preferably, before the WEB middleware returns the response data to the user, the user information probe unit can release the stored user information and business information of the current user, so as to reduce memory consumption of the associated plug-in. Since the user request and the response are all run in the same java thread, 100% accurate correlation can be achieved.
[0033] Combine below figure 2 , which illustrates the main process of implementing a user's business operation by the system using the above-mentioned associated plug-in.
[0034] First, the user client completes the login and triggers business requests (including http requests and https requests).
[0035] The Web middleware added with the user information probe unit obtains and stores user information and business information. When the Web application added with the SQL information probe unit executes the Sql operation, the stored user information and business information are associated with the SQL statement in the form of comments, and then the database protocol TCP packet flow is sent to the switch.
[0036] The switch bypasses the database traffic to the database audit server for auditing, and at the same time sends the database traffic to the database server only.
[0037] The database server executes SQL statements and returns execution results.
[0038]The execution result of the Web application processing with the SQL information probe unit added, and the execution result of the Web middleware processing with the user information probe unit form the response data to the user request. At this time, the stored user information and business information can be deleted, and finally Return the response data to the client user.
[0039] Specifically, an interception code can be added to the class of the web middleware processing the request, through which the user information and business information can be obtained from the http request, and the user information can be deleted from the plug-in before the request ends.
[0040] Similarly, interception code can be added to the class that processes sql statements in the web application, through which user information and business information can be obtained from the associated plug-in, and added to the sql comment in the form of a feature string, thereby forming an association.
[0041] In this embodiment, the interception code added in the associated plug-in adopts java bytecode operation technology, directly performs bytecode operation when related classes are loaded, and adopts the proxy mode in java mode to obtain user information and business information , associated with sql requirements. In this embodiment, the interception code fully considers various abnormal situations, even if an exception occurs in the interception code, it can ensure that the user's business operations can be executed normally without any impact. The interception code is added to the installation log and operation log (the log level can be configured) to meet the operation requirements of the actual environment.
[0042] In this embodiment, the associated plug-in has two models drelate15 and drelate14.
[0043] Drelate15 is suitable for Web middleware servers running on JDK1.5, JDK1.6, and JDK1.7.
[0044] drelate14 is suitable for web middleware servers running on JDK1.3 and JDK1.4.
[0045] Drelate15 and drelate14 plug-ins currently only support four middlewares: tomcat, jboss, weblogic, and websphere; if you need to support other middleware, you can customize them.
[0046] Drelate15 and drelate14 plug-ins currently only support four databases: oracle, sqlserver, mysql, and db2; if you need to support other databases, you can customize them.
[0047] Drelate15 and drelate14 plug-ins can run on all operating systems that the corresponding JDK can run on.
[0048] In addition, the business audit system of the J2EE platform using the above-mentioned associated plug-in has carried out a stress test of 80 users on a large-scale e-commerce platform.
[0049] Some parameter indicators of the Web middleware server are: Red Hat Enterprise Linux Server release5.5(64bit), Weblogic10.2, Weblogic JVM_OPTION:-server–Xms2048M–Xmx2048MaxPermSize512M.
[0050] The database server is oracle10g.
[0051] Plug-in disabled: 80 concurrent user business execution time is 13.565 seconds
[0052] Enable the plug-in: 80 concurrent user business execution time is 14.148 seconds
[0053] The average time consumption per user increases by 0.0072 seconds, which is basically negligible.
[0054] From the perspective of technical implementation, the class that uses the technical solution of this application to process requests and the class that processes sql needs to dynamically add interception codes during loading to achieve the effect of user probes and sql probes, which will increase the time of class loading, but based on java The loading performance of the virtual machine and the execution performance of the server cpu, the increased loading time is basically negligible. And once the code is loaded, it stays in memory and does not need to be loaded repeatedly. During operation, user probes and sql probes have a small amount of code to execute, which will also increase the total execution time of the code; the record of the operation log will also increase the execution time a little, and the log record can be selected according to the actual situation. Judging from the actual operation effect, after adding the plug-in, the various indicators of the Web middleware server are basically the same as before adding the plug-in, and there is no obvious change.
[0055] It should also be noted that in this embodiment, the associated plug-in mainly appears as an independent jar file, which needs to be placed in the CLASSPATH parameter of the middleware, and the startup script of the middleware should be modified to start the plug-in in the form of -javaagent or -Xrun .
[0056] In order to facilitate troubleshooting during the deployment phase, the middleware script needs to have two copies, one is the original non-plug-in startup script, and the other is a copy of the original startup script with parameter configuration for loading plugins. When the problem is cleared and resolved, the user can choose to start with a plug-in or non-plug-in.
