Tomcat 8.5反CSRF nonce未生成

时间:2018-01-31 16:50:27

标签: java tomcat csrf csrf-protection nonce

我有一个在Tomcat 8.5上运行的Web应用程序。我想更新应用程序以依赖Tomcats本机反CSRF令牌来保护Web应用程序上的关键POST请求。我做了很多研究并遵循了一些例子,但我仍然无法让它发挥作用。

的web.xml:

<filter>
    <filter-name>CSRFPreventionFilter</filter-name>
    <filter-class> org.apache.catalina.filters.CsrfPreventionFilter </filter-class>
    <init-param>
        <param-name>entryPoints</param-name>
        <param-value>appNameRemoved/login.jsp</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>CSRFPreventionFilter</filter-name>
    <url-pattern>/appNameRemoved/folder1/*</url-pattern>
</filter-mapping>

因此,从表面看,这似乎有效。使用403(好)拒绝任何访问folder1内的URL的尝试。当我尝试生成nonce值以允许授权方访问特权区域时,会出现此问题。

在我的main.jsp(登录入口点login.jsp后打开的JSP)中,我有以下Java代码尝试生成nonce值:

String antiCSRF = response.encodeURL("/appNameRemoved/folder1/delete");

问题是,生成的值只是

"/appNameRemoved/folder1/delete"

而不是预期的URL(如其他人的考试所见),例如:

"/appNameRemoved/folder1/delete?org.apache.catalina.filters.CSRF_NONCE=CB5C65E1D87A39D5557D6BCBC24E54A9"

因此我的问题是,为什么response.encodeURL()实际上并没有使用nonce值对URL进行编码,即使我已经看到,过滤器设置正确并且在访问特权URL时检查nonce&#s; #39; S

谢谢!

1 个答案:

答案 0 :(得分:1)

It seems you have kept your main.jsp (in which you are using response.encodeURL()) out side the folder /appNameRemoved/folder1/.

By using 

<filter-mapping>
    <filter-name>CSRFPreventionFilter</filter-name>
    <url-pattern>/appNameRemoved/folder1/*</url-pattern>
</filter-mapping>

you are applying CSRFPreventionFilter to urls /appNameRemoved/folder1/*. i.e. all the urls with pattern /appNameRemoved/folder1/* will be protected with CSRF nonce.

By applying 

<init-param>
   <param-name>entryPoints</param-name>
   <param-value>url1, url2</param-value>
</init-param>

you are saying tomcat that out of /appNameRemoved/folder1/*, url1 and url2 are allowed even without CSRF nonce.

Now what you have done is

  1. You have put appNameRemoved/login.jsp as entry point which you do not need to do that because it is anyway accessible as it is outside /appNameRemoved/folder1/* urls.
  2. Perhaps your main.jsp in which you are using response.encodeURL("/appNameRemoved/folder1/delete"), is also out side /appNameRemoved/folder1/*. CSRF nounce will only be generated in the resources on which CSRFPreventionFilter is applied. Had your main.jsp been placed in folder /appNameRemoved/folder1/, proper CSRF nonce would have been added to the encoded url. Again in such case, to make main.jsp accessible, you would need to set it as entryPoint in your init prams

Like this 

<init-param>
   <param-name>entryPoints</param-name>
   <param-value>appNameRemoved/folder1/main.jsp</param-value>
</init-param>
相关问题
最新问题