我做错了什么?我无法使javascript注入工作。这是我放在web.xml中的内容:
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
</listener>
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
</listener>
<context-param>
<param-name>Owasp.CsrfGuard.Config</param-name>
<param-value>WEB-INF/csrfguard.properties</param-value>
</context-param>
<context-param>
<param-name>Owasp.CsrfGuard.Config.Print</param-name>
<param-value>true</param-value>
</context-param>
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>JavaScriptServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>JavaScriptServlet</servlet-name>
<url-pattern>/JavaScriptServlet</url-pattern>
</servlet-mapping>
在我的jsp文件中,我添加了这一行:
<script src="/JavaScriptServlet"></script>
但是当我提交时,令牌不会被添加到请求中。我逐步完成了代码,CsrfGuard.verifySessionToken(request)中的这一行返回null:
String tokenFromRequest = request.getParameter(getTokenName());
到目前为止,我唯一能做的就是使用CSRF自定义标记添加令牌并在表单ala中添加隐藏字段:
<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
答案 0 :(得分:0)
看起来我必须弄清楚我的servlet上下文根目录是什么。然后我通过改变
来修复它<script src="/JavaScriptServlet"></script>
到
<script src="/[servletcontextroot]/JavaScriptServlet"></script>
答案 1 :(得分:0)
就我而言,在设置基本路径后添加脚本标记时,它工作正常。