servlet Filter不允许加载应用程序资源

时间:2016-06-20 14:07:50

标签: filter csrf servlet-filters csrf-protection

我试图阻止CSRF(Cross site request forgery)。为了防止CSRF我创建了过滤器来过滤每个请求。

在实现javax.servlet.Filter之后,按预期过滤器完成其工作。但是在实现servlet过滤器之后,我的应用程序资源没有正确加载。

CSS,jQuery,datatable,所有资源都没有正确加载,有些时候它们正在加载,有些时候没有加载。

在实施过滤器之前,它工作正常。

firebug中的示例错误:



 
"NetworkError: 500 Internal Server Error - http://localhost:8080/myApp/resources/images/bg-report-content.jpg"

"NetworkError: 500 Internal Server Error - http://localhost:8080/myApp/resources/images/bg-header.jpg"

tworkError: 500 Internal Server Error - http://localhost:8080/myApp/resources/css/dataTables.bootstrap.css"

"NetworkError: 500 Internal Server Error - http://localhost:8080/myApp/resources/js/fnStandingRedraw.js"

"NetworkError: 500 Internal Server Error - http://localhost:8080/myApp/resources/js/dataTables.tableTools.js"




我如何实施CSRF过滤器

我正在做的是,我创建了一个名为LoadSalt的类,它创建了salt(随机数)。我在jsp中接受的随机数。和jsp一起发送请求。

LoadSalt calss 

public class LoadSalt implements Filter{

    public Cache<String, Boolean> csrfPreventionSaltCache= null;
    HttpServletRequest httpReq=null;
    //int count=0;

    @SuppressWarnings("unchecked")
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {
        //count++;

        // Assume its HTTP  
        httpReq = (HttpServletRequest)request;

        if(httpReq.getAttribute("csrfPreventionSaltCache")!=null)
            {
            csrfPreventionSaltCache= (Cache<String, Boolean>) httpReq.getAttribute("csrfPreventionSaltCache");
            }

        if(csrfPreventionSaltCache == null)
        {
            // creating a new cache 
            csrfPreventionSaltCache = CacheBuilder.newBuilder().maximumSize(5000)
                    .expireAfterAccess(5, TimeUnit.MINUTES).build();
            // Setting to httpReq
            httpReq.setAttribute("csrfPreventionSaltCache", csrfPreventionSaltCache);
        }

        // Generate the salt and store it in the users cache
        String salt = RandomStringUtils.random(20, 0, 0, true, true, null, new SecureRandom());
        //System.out.println("Salt: "+salt);
        csrfPreventionSaltCache.put(salt, Boolean.TRUE);

        // Add the salt to the current request so it can be used
        // by the page rendered in this request
        httpReq.setAttribute("csrfPreventionSalt", salt);

        chain.doFilter(httpReq, response);

    }

    public void init(FilterConfig arg0) throws ServletException {
    }
    public void destroy() {
    }
}

验证盐的另一个过滤器 

public class ValidateSalt implements Filter {

    public Cache<String, Boolean> csrfPreventionSaltCache= null;

    @SuppressWarnings("unchecked")
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {

        // Assume its HTTP
        HttpServletRequest httpReq = (HttpServletRequest) request;
        HttpServletResponse httpResponse =(HttpServletResponse) response;

        String salt =(String) httpReq.getAttribute("csrfPreventionSalt");

     // Validate that the salt is in the cache
        if(httpReq.getAttribute("csrfPreventionSaltCache")!=null)
        {
         csrfPreventionSaltCache = (Cache<String, Boolean>) httpReq.getAttribute("csrfPreventionSaltCache");
        }

        if(csrfPreventionSaltCache !=null && salt !=null && csrfPreventionSaltCache.getIfPresent(salt)!=null)
        {

                String metodName =httpReq.getMethod();
                String saltFromJspPage = httpReq.getParameter("salt");  
                //String saltFromRequest =(String) httpReq.getAttribute("csrfPreventionSalt");


                if(metodName.equalsIgnoreCase("POST"))
                    {

                        if(saltFromJspPage!=null && csrfPreventionSaltCache.getIfPresent(saltFromJspPage)!=null)
                        {
                            chain.doFilter(httpReq, response);
                        else
                        {
                            //throw new ServletException("Potential CSRF detected!! Please contact to system admin ASAP.");
                            httpResponse.sendRedirect("/myApp/pages/pageNotFound.jsp");
                        }
                    }
                else
                {
                     chain.doFilter(httpReq, response);
                }
        }
        else
        {
            // Otherwise we throw an exception aborting the request flow
            //throw new ServletException("Potential CSRF detected!! Inform a scary sysadmin ASAP.");
            httpResponse.sendRedirect("/myApp/pages/pageNotFound.jsp");
        }
    }

    public void init(FilterConfig arg0) throws ServletException {
    }
    public void destroy() { 
    }
}

web.xml中的servlet过滤器映射 

  <filter>
       <filter-name>loadSalt</filter-name>
       <filter-class>com.mpApp.security.LoadSalt</filter-class>
   </filter>

   <filter-mapping>
      <filter-name>loadSalt</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>

   <filter>
       <filter-name>validateSalt</filter-name>
       <filter-class>com.mpApp.security.ValidateSalt</filter-class>
   </filter>            

  <filter-mapping>
       <filter-name>validateSalt</filter-name>
        <url-pattern>/*</url-pattern>
   </filter-mapping>

我的申请有什么问题?

为什么servlet过滤器不允许加载资源?虽然有时它确实有效,但有时却没有,

导致此问题的原因是什么?

我是否以错误的方式实现了servlet过滤器。

请帮忙。

1 个答案:

答案 0 :(得分:0)

URL模式太宽,将尝试将盐应用于每个请求。将其保留在可以设置并检查盐值的动态部分,例如/ transferOperationServlet或/ prettyImportantServlet或* .jsp

相关问题
最新问题