我将OWASP.CsrfGuard.jar添加到我的spring 3.2.4应用程序以防止CSRF攻击,但我不知道如何配置它。 我的申请的入口点是
http://127.0.0.1:7001/devices/welcome.do
从这个控制器(WelcomeController),根据某些条件,视图可能会有所不同:
....
if (usr.getValidated().booleanValue() == Boolean.FALSE) {
return new ModelAndView("createAccountRedirectView");
} else {
if (usr.getUserRole().equals(UserRole.MARKETING_SALES_TEAM_MEMBER)) {
return new ModelAndView("listAccountsRedirectView");
} else if (usr.getUserRole().equals(UserRole.MANAGER)) {
return new ModelAndView("redirectingManageView");
} else {
return new ModelAndView(getView());
}
}
....
这是我的Owasp.CsrfGuard.properties:
org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
org.owasp.csrfguard.NewTokenLandingPage=/devices/welcome.do
org.owasp.csrfguard.TokenPerPage=true
org.owasp.csrfguard.TokenPerPagePrecreate=false
org.owasp.csrfguard.Ajax=true
org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)
org.owasp.csrfguard.unprotected.Public=/devices/welcome.do
org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
org.owasp.csrfguard.TokenLength=128
org.owasp.csrfguard.PRNG=SHA1PRNG
这里是控制台中的结果:
[Thu Oct 08 10:17:26 CEST 2015] [Info] CsrfGuard analyzing request /devices/welcome/welcome.do
[Thu Oct 08 10:17:26 CEST 2015] [Info] CsrfGuard analyzing request /devices/welcome.do
[Thu Oct 08 10:17:26 CEST 2015] [Error] potential cross-site request forgery (CSRF) attack thwarted (user:joanet, ip:12
7.0.0.1, uri:/devices/welcome.do, error:required token is missing from the request)
<08-Oct-2015 10:17:31 o'clock CEST> <Warning> <Socket> <BEA-000449> <Closing the socket, as no data read from it on 127.
0.0.1:54,138 during the configured idle timeout of 5 seconds.>