<bea-101020> Servlet在org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:68)中出现异常java.lang.NullPointerException失败

时间:2016-10-25 12:45:53

标签: servlets

我们正在将一个应用程序从Glassfish 2.1迁移到Weblogic 12.1.1.0。它是一个远程服务器。 我们还使用OWASP CSRFGuard保护了这个应用程序。

 <BEA-101162> <User defined listener org.owasp.csrfguard.CsrfGuardServletContextListener failed: java.lang.RuntimeException: java.lang.NullPointerException.
    java.lang.RuntimeException: java.lang.NullPointerException
            at org.owasp.csrfguard.CsrfGuardServletContextListener.contextInitialized(CsrfGuardServletContextListener.java:40)
            at weblogic.servlet.internal.EventsManager$FireContextListenerAction.run(EventsManager.java:582)
            at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
            at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
            at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)
            at weblogic.servlet.internal.EventsManager.executeContextListener(EventsManager.java:233)
            at weblogic.servlet.internal.EventsManager.notifyContextCreatedEvent(EventsManager.java:190)
            at weblogic.servlet.internal.EventsManager.notifyContextCreatedEvent(EventsManager.java:175)
            at weblogic.servlet.internal.WebAppServletContext.preloadResources(WebAppServletContext.java:1730)
            at weblogic.servlet.internal.WebAppServletContext.start(WebAppServletContext.java:2740)
            at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1704)
            at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:781)
            at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:213)
            at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:208)
            at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:35)
            at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:70)
            at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:212)
            at weblogic.application.internal.ExtensibleModuleWrapper.start(ExtensibleModuleWrapper.java:111)
            at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:124)
            at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:213)
            at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:208)
            at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:35)
            at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:70)
            at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:24)
            at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:729)
            at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:35)
            at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:258)
            at weblogic.application.internal.SingleModuleDeployment.activate(SingleModuleDeployment.java:48)
            at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:165)
            at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
            at weblogic.deploy.internal.targetserver.operations.AbstractOperation.activate(AbstractOperation.java:582)
            at weblogic.deploy.internal.targetserver.operations.ActivateOperation.activateDeployment(ActivateOperation.java:148)
            at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doCommit(ActivateOperation.java:114)
            at weblogic.deploy.internal.targetserver.operations.AbstractOperation.commit(AbstractOperation.java:335)
            at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentCommit(DeploymentManager.java:844)
            at weblogic.deploy.internal.targetserver.DeploymentManager.activateDeploymentList(DeploymentManager.java:1253)
            at weblogic.deploy.internal.targetserver.DeploymentManager.handleCommit(DeploymentManager.java:440)
            at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.commit(DeploymentServiceDispatcher.java:163)
            at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doCommitCallback(DeploymentReceiverCallbackDeliverer.java:195)
            at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$100(DeploymentReceiverCallbackDeliverer.java:13)
            at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$2.run(DeploymentReceiverCallbackDeliverer.java:68)
            at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:545)
            at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
            at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
    Caused By: java.lang.NullPointerException
            at java.io.File.<init>(File.java:222)
            at org.owasp.csrfguard.CsrfGuardServletContextListener.getResourceStream(CsrfGuardServletContextListener.java:67)
            at org.owasp.csrfguard.CsrfGuardServletContextListener.contextInitialized(CsrfGuardServletContextListener.java:36)
            at weblogic.servlet.internal.EventsManager$FireContextListenerAction.run(EventsManager.java:582)
            at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
            at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
            at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)
            at weblogic.servlet.internal.EventsManager.executeContextListener(EventsManager.java:233)
            at weblogic.servlet.internal.EventsManager.notifyContextCreatedEvent(EventsManager.java:190)
            at weblogic.servlet.internal.EventsManager.notifyContextCreatedEvent(EventsManager.java:175)
            at weblogic.servlet.internal.WebAppServletContext.preloadResources(WebAppServletContext.java:1730)
            at weblogic.servlet.internal.WebAppServletContext.start(WebAppServletContext.java:2740)
            at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1704)
            at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:781)
            at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:213)
            at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:208)
            at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:35)
            at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:70)
            at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:212)
            at weblogic.application.internal.ExtensibleModuleWrapper.start(ExtensibleModuleWrapper.java:111)
            at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:124)
            at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:213)
            at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:208)
            at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:35)
            at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:70)
            at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:24)
            at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:729)
            at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:35)
            at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:258)
            at weblogic.application.internal.SingleModuleDeployment.activate(SingleModuleDeployment.java:48)
            at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:165)
            at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
            at weblogic.deploy.internal.targetserver.operations.AbstractOperation.activate(AbstractOperation.java:582)
            at weblogic.deploy.internal.targetserver.operations.ActivateOperation.activateDeployment(ActivateOperation.java:148)
            at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doCommit(ActivateOperation.java:114)
            at weblogic.deploy.internal.targetserver.operations.AbstractOperation.commit(AbstractOperation.java:335)
            at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentCommit(DeploymentManager.java:844)
            at weblogic.deploy.internal.targetserver.DeploymentManager.activateDeploymentList(DeploymentManager.java:1253)
            at weblogic.deploy.internal.targetserver.DeploymentManager.handleCommit(DeploymentManager.java:440)
            at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.commit(DeploymentServiceDispatcher.java:163)
            at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doCommitCallback(DeploymentReceiverCallbackDeliverer.java:195)
            at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$100(DeploymentReceiverCallbackDeliverer.java:13)
            at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$2.run(DeploymentReceiverCallbackDeliverer.java:68)
            at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:545)
            at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
            at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
    >

我的Web.xml如下所示。

<context-param>
        <param-name>paginationDefItemsPerPage</param-name>
        <param-value>5</param-value>
    </context-param>
    <context-param>
        <param-name>paginationPagesPerCache</param-name>
        <param-value>2</param-value>
    </context-param>
    <!-- CSRF -->
    <context-param>
        <param-name>Owasp.CsrfGuard.Config</param-name>
        <param-value>/WEB-INF/Owasp.CsrfGuard.properties</param-value>
    </context-param>
    <context-param>
        <param-name>Owasp.CsrfGuard.Config.Print</param-name>
        <param-value>true</param-value>
    </context-param>
    <!-- CSRF -->
    <filter>
        <filter-name>encodingFilter</filter-name>
        <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
        <init-param>
            <param-name>encoding</param-name>
            <param-value>UTF-8</param-value>
        </init-param>
        <init-param>
            <param-name>forceEncoding</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>
    <filter>
        <description>
        Check for multipart HttpServletRequests and parse the multipart form data so that all
        regular form fields are available in the parameterMap of the HttpServletRequest and that
        all form file fields are available as attribute of the HttpServletRequest. The attribute
        value of a form file field can be an instance of FileItem or FileUploadException.
    </description>
        <filter-name>multipartFilter</filter-name>
        <filter-class>org.cctns.cas.state.online.filter.MultipartFilter</filter-class>
        <init-param>
            <description>
            Sets the maximum file size of the uploaded file in bytes. Set to 0 to indicate an
            unlimited file size. The example value of 1048576 indicates a maximum file size of
            1MB. This parameter is not required and can be removed safely.
        </description>
            <param-name>maxFileSize</param-name>
            <param-value>0</param-value>
        </init-param>
    </filter>
    <filter>
        <filter-name>XSS</filter-name>
        <filter-class>org.cctns.cas.state.online.filter.CrossScriptingFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>encodingFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>multipartFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>XSS</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/applicationContext.xml
            /WEB-INF/applicationContext-security.xml
            </param-value>
    </context-param>

    <filter>
        <filter-name>authfilter</filter-name>
        <filter-class>org.cctns.cas.state.online.filter.AuthFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>authfilter</filter-name>
        <url-pattern>*.htm</url-pattern>
    </filter-mapping>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <filter>
        <filter-name>responseFilter</filter-name>
        <filter-class>org.cctns.cas.state.online.filter.ResponseFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>responseFilter</filter-name>
        <url-pattern>*.htm</url-pattern>

        <url-pattern>*.css</url-pattern>
        <url-pattern>*.js</url-pattern>
        <url-pattern>*.jpg</url-pattern>
        <url-pattern>*.gif</url-pattern>
        <url-pattern>*.ico</url-pattern>
    </filter-mapping>
    <filter>
        <filter-name>CSRFGuard</filter-name>
        <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>CSRFGuard</filter-name> 
        <url-pattern>*.htm</url-pattern>
    </filter-mapping>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

     <listener>
        <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
    </listener>

    <!--<servlet>
        <servlet-name>SimpleCaptcha</servlet-name>
        <servlet-class>nl.captcha.servlet.SimpleCaptchaServlet</servlet-class> 
        <servlet-class><servlet-class>nl.captcha.servlet.SimpleCaptchaServlet</servlet-class>nl.captcha.servlet.SimpleCaptchaServlet</servlet-class>
    </servlet>-->
    <servlet>
        <servlet-name>SimpleCaptchaServlet</servlet-name>
        <servlet-class>org.cctns.cas.state.online.login.spring.SimpleCaptchaServlet</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>SimpleCaptchaServlet</servlet-name>
        <url-pattern>/simpleCaptcha.jpg</url-pattern>
    </servlet-mapping>
    <servlet>
        <servlet-name>dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>2</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>*.htm</url-pattern>
    </servlet-mapping>
    <servlet>
        <servlet-name>JavaScriptServlet</servlet-name>
        <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
        <init-param>
                <param-name>source-file</param-name>
                <param-value>/WEB-INF/Owasp.CsrfGuard.js</param-value>
        </init-param>
        <init-param>
                <param-name>inject-into-forms</param-name>
                <param-value>true</param-value>
        </init-param>
        <init-param>
                <param-name>inject-into-attributes</param-name>
                <param-value>true</param-value>
        </init-param>
        <init-param>
                <param-name>domain-strict</param-name>
                <param-value>true</param-value>
        </init-param>
        <!--<init-param>
                <param-name>referer-pattern</param-name>
                <param-value>http://localhost:8080.*</param-value>
        </init-param>-->
        <init-param>
                <param-name>x-requested-with</param-name>
                <param-value>OWASP CSRFGuard Project</param-value>
        </init-param>
    </servlet>
    <servlet-mapping>
            <servlet-name>JavaScriptServlet</servlet-name>
            <url-pattern>/JavaScriptServlet</url-pattern>
    </servlet-mapping>
    <session-config>
        <session-timeout>
            20
        </session-timeout>
    </session-config>
    <listener>
        <listener-class>
            org.springframework.security.web.session.HttpSessionEventPublisher
        </listener-class>
    </listener>
     <listener> 
        <listener-class>
            org.cctns.cas.state.online.login.spring.SessionTimeOutController
        </listener-class>
    </listener>
    <!-- CSRF -->
     <listener>
    <listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
    </listener>
    <listener>
        <listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
    </listener>
    <!-- CSRF -->
    <welcome-file-list>
        <welcome-file>redirect.jsp</welcome-file>
    </welcome-file-list>
    <error-page>
        <error-code>404</error-code>
        <location>/errors/404.htm</location>
    </error-page>
    <error-page>
        <error-code>500</error-code>
        <location>/errors/500.htm</location>
    </error-page>
    <security-constraint>
        <display-name>RestrictedRequests</display-name>
        <web-resource-collection>
            <web-resource-name>RestrictedRequests</web-resource-name>
            <description/>
            <url-pattern>/*</url-pattern>
            <http-method>PUT</http-method>
            <http-method>HEAD</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <auth-constraint/>
    </security-constraint>
</web-app>

CSRFGuard的jar文件是csrfguard.jar

0 个答案:

没有答案