您好我目前正在工作 CSRFGuard 3 ,令牌正确验证,但我收到以下错误。
java.lang.RuntimeException: unable to locate expected parameter Message
at org.owasp.csrfguard.action.AbstractAction.getParameter(AbstractAction.java:61)
at org.owasp.csrfguard.action.Log.execute(Log.java:44)
at org.owasp.csrfguard.CsrfGuard.isValidRequest(CsrfGuard.java:373)
at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:78)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
请检查下面的代码
Owasp.CsrfGuard.properties
org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
org.owasp.csrfguard.ProtoctedMethod=POST,PUT,DELETE
org.owasp.csrfguard.TokenPerPage=true
org.owasp.csrfguard.Rotate=false
org.owasp.csrfguard.Ajax=true
org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.Log.Message=potential cross-site request forgery attack thwarted(user %user%, ip %remote_ip%)
org.owasp.csrfguard.Redirect=org.owasp.csrfguard.action.Redirect
org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
org.owasp.csrfguard.TokenLength=32
org.owasp.csrfguard.PRNG=SHA1PRNG
**org.owasp.csrfguard.Protect=false**
org.owasp.csrfguard.unprotected.index=/contectpath/index.jsp
当标记org.owasp.csrfguard.Protect = true .Token验证方法时,它自己不会调用。
的web.xml
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
</listener>
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
</listener>
<context-param>
<param-name>Owasp.CsrfGuard.Config</param-name>
<param-value>/WEB-INF/config/Owasp.CsrfGuard.properties</param-value>
</context-param>
<context-param>
<param-name>Owasp.CsrfGuard.Config.Print</param-name>
<param-value>true</param-value>
</context-param>
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>*.html</url-pattern>
</filter-mapping>
点击F12,我可以看到 csrf:token-value 值。
任何人帮助我。我做错了什么
答案 0 :(得分:0)
OWASP Blog中的配置示例不正确。日志操作&#34;消息&#34;参数需要从该属性中的org.owasp.csrfguard.Log.Message =更改为org.owasp.csrfguard.action.Log.Message = .action 。
配置参考:https://www.owasp.org/index.php/CSRFGuard_3_Configuration