servlet过滤器不允许加载应用程序资源

问题描述 投票:0回答:1

我正在尝试防止CSRF(Cross site request forgery)。为了防止CSRF,我创建了过滤器,该过滤器将过滤每个请求。

按预期实现javax.servlet.Filter之后,过滤器将完成其工作。但是在实现servlet过滤器后,我的应用程序资源无法正确加载。

CSS,jQuery,数据表,所有资源均未正确加载,有时它们正在加载,有时却未加载。

在实施过滤器之前,它工作正常。

firebug中的示例错误:

"NetworkError: 500 Internal Server Error - http://localhost:8080/myApp/resources/images/bg-report-content.jpg"

"NetworkError: 500 Internal Server Error - http://localhost:8080/myApp/resources/images/bg-header.jpg"

tworkError: 500 Internal Server Error - http://localhost:8080/myApp/resources/css/dataTables.bootstrap.css"

"NetworkError: 500 Internal Server Error - http://localhost:8080/myApp/resources/js/fnStandingRedraw.js"

"NetworkError: 500 Internal Server Error - http://localhost:8080/myApp/resources/js/dataTables.tableTools.js"

这是我如何实现CSRF的过滤器

[我正在做的是,我创建了一个名为LoadSalt的类,其中创建了salt(随机数)。我在jsp中使用的那个随机数。以及与jsp一起发送的请求。

LoadSalt calss

public class LoadSalt implements Filter{

    public Cache<String, Boolean> csrfPreventionSaltCache= null;
    HttpServletRequest httpReq=null;
    //int count=0;

    @SuppressWarnings("unchecked")
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {
        //count++;

        // Assume its HTTP  
        httpReq = (HttpServletRequest)request;

        if(httpReq.getAttribute("csrfPreventionSaltCache")!=null)
            {
            csrfPreventionSaltCache= (Cache<String, Boolean>) httpReq.getAttribute("csrfPreventionSaltCache");
            }

        if(csrfPreventionSaltCache == null)
        {
            // creating a new cache 
            csrfPreventionSaltCache = CacheBuilder.newBuilder().maximumSize(5000)
                    .expireAfterAccess(5, TimeUnit.MINUTES).build();
            // Setting to httpReq
            httpReq.setAttribute("csrfPreventionSaltCache", csrfPreventionSaltCache);
        }

        // Generate the salt and store it in the users cache
        String salt = RandomStringUtils.random(20, 0, 0, true, true, null, new SecureRandom());
        //System.out.println("Salt: "+salt);
        csrfPreventionSaltCache.put(salt, Boolean.TRUE);

        // Add the salt to the current request so it can be used
        // by the page rendered in this request
        httpReq.setAttribute("csrfPreventionSalt", salt);

        chain.doFilter(httpReq, response);

    }

    public void init(FilterConfig arg0) throws ServletException {
    }
    public void destroy() {
    }
}

另一个用于验证盐的过滤器

public class ValidateSalt implements Filter {

    public Cache<String, Boolean> csrfPreventionSaltCache= null;

    @SuppressWarnings("unchecked")
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {

        // Assume its HTTP
        HttpServletRequest httpReq = (HttpServletRequest) request;
        HttpServletResponse httpResponse =(HttpServletResponse) response;

        String salt =(String) httpReq.getAttribute("csrfPreventionSalt");

     // Validate that the salt is in the cache
        if(httpReq.getAttribute("csrfPreventionSaltCache")!=null)
        {
         csrfPreventionSaltCache = (Cache<String, Boolean>) httpReq.getAttribute("csrfPreventionSaltCache");
        }

        if(csrfPreventionSaltCache !=null && salt !=null && csrfPreventionSaltCache.getIfPresent(salt)!=null)
        {

                String metodName =httpReq.getMethod();
                String saltFromJspPage = httpReq.getParameter("salt");  
                //String saltFromRequest =(String) httpReq.getAttribute("csrfPreventionSalt");


                if(metodName.equalsIgnoreCase("POST"))
                    {

                        if(saltFromJspPage!=null && csrfPreventionSaltCache.getIfPresent(saltFromJspPage)!=null)
                        {
                            chain.doFilter(httpReq, response);
                        else
                        {
                            //throw new ServletException("Potential CSRF detected!! Please contact to system admin ASAP.");
                            httpResponse.sendRedirect("/myApp/pages/pageNotFound.jsp");
                        }
                    }
                else
                {
                     chain.doFilter(httpReq, response);
                }
        }
        else
        {
            // Otherwise we throw an exception aborting the request flow
            //throw new ServletException("Potential CSRF detected!! Inform a scary sysadmin ASAP.");
            httpResponse.sendRedirect("/myApp/pages/pageNotFound.jsp");
        }
    }

    public void init(FilterConfig arg0) throws ServletException {
    }
    public void destroy() { 
    }
}

web.xml中的servlet过滤器映射

  <filter>
       <filter-name>loadSalt</filter-name>
       <filter-class>com.mpApp.security.LoadSalt</filter-class>
   </filter>

   <filter-mapping>
      <filter-name>loadSalt</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>

   <filter>
       <filter-name>validateSalt</filter-name>
       <filter-class>com.mpApp.security.ValidateSalt</filter-class>
   </filter>            

  <filter-mapping>
       <filter-name>validateSalt</filter-name>
        <url-pattern>/*</url-pattern>
   </filter-mapping>

我的申请有什么问题吗?

为什么servlet过滤器不允许加载资源?尽管有时会起作用,有时却不能,

这是什么原因造成的?

我是否以错误的方式实现了servlet过滤器。

请帮助。

filter csrf servlet-filters csrf-protection
1个回答
0
投票

网址格式太宽,将尝试将盐应用于每个请求。将其保留在可以设置并检查盐值的动态部分,例如/ transferOperationServlet或/ prettyImportantServlet或* .jsp

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.