CSRFGuard中的NPE

时间:2013-04-15 15:04:41

标签: java csrf owasp

我想保护我的应用程序免受csrf的影响,所以我添加owasp.csrf.jar并按照描述here配置我的应用程序然后我使用csrf令牌标记向我的一个表单中添加隐藏字段,如下所示:< / p>

<input type="hidden" name="<csrf:token-name/>" value="<csrf:token-value/>" />

但是当我的页面呈现时,我在 TokenNameTag.java

中获得了NPE

我错过了什么?

更新

stacktrace:

2013-04-15 10:46:49,985 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/myapp].[jsp]]  Servlet.service() for servlet jsp threw exception
java.lang.NullPointerException
    at org.owasp.csrfguard.tag.TokenNameTag.doStartTag(TokenNameTag.java:45)
    at org.apache.jsp.struts.config.configurationMain_jsp._jspx_meth_csrf_005ftoken_002dname_005f0(configurationMain_jsp.java:7405)
    at org.apache.jsp.struts.config.configurationMain_jsp._jspx_meth_html_005fform_005f7(configurationMain_jsp.java:6812)
    at org.apache.jsp.struts.config.configurationMain_jsp._jspx_meth_logic_005fmatch_005f3(configurationMain_jsp.java:6695)
    at org.apache.jsp.struts.config.configurationMain_jsp._jspService(configurationMain_jsp.java:1712)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:387)
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320)
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:687)
    at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:469)
    at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:403)
    at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
    at org.apache.struts.action.RequestProcessor.doForward(RequestProcessor.java:1069)
    at org.apache.struts.action.RequestProcessor.processForwardConfig(RequestProcessor.java:455)
    at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:279)
    at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
    at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:507)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:687)
    at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:469)
    at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:403)
    at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
    at org.apache.struts.action.RequestProcessor.doForward(RequestProcessor.java:1069)
    at org.apache.struts.action.RequestProcessor.processForwardConfig(RequestProcessor.java:455)
    at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:279)
    at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
    at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:507)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
    at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    at java.lang.Thread.run(Thread.java:662)

1 个答案:

答案 0 :(得分:0)

第45行上的TokenNameTag.java也有类似的问题。这是我的堆栈跟踪

Stacktrace:] with root cause                                                                                                                                                                                
java.lang.NullPointerException
at java.io.Writer.write(Writer.java:157)                                                                                                                                                            
at org.owasp.csrfguard.tag.TokenNameTag.doStartTag(TokenNameTag.java:45)                                                                                                                            
at org.apache.jsp.position_005fdetails_jsp._jspx_meth_csrf_005ftokenname_005f0(position_005fdetails_jsp.java:4768) org.apache.jsp.position_005fdetails_jsp._jspService(position_005fdetails_jsp.java:1255) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)                                                                                                                               at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)`

对我来说,问题是我没有将以下内容复制到web.xml文件中

<listener>
            <listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
       </listener>
       <listener>
            <listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
       </listener>
       <context-param>
             <param-name>Owasp.CsrfGuard.Config</param-name>
             <param-value>Owasp.CsrfGuard.properties</param-value>
       </context-param>


<servlet> 
     <servlet-name>JavaScriptServlet</servlet-name> 
     <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class> 

    </servlet>
    <servlet-mapping>
     <servlet-name>JavaScriptServlet</servlet-name>
     <url-pattern>/JavaScriptServlet</url-pattern>
</servlet-mapping>


<filter>
        <filter-name>CSRFGuard</filter-name>
        <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>CSRFGuard</filter-name> 
        <url-pattern>/*</url-pattern>
    </filter-mapping>

完成此操作后,它便对我有用。

(出于完整性考虑,我将添加owasp.csrfguard-3.1.0.jar必须位于lib目录中,并且Owasp.CsrfGuard.properties也必须位于正确的目录中,其中一种可能是应用程序类路径-参见https://www.owasp.org/index.php/CSRFGuard_3_Installation