我们正在将一个应用程序从Glassfish 2.1迁移到Weblogic 12.1.1.0。它是一个远程服务器。 我们还使用OWASP CSRFGuard保护了这个应用程序。
<BEA-101162> <User defined listener org.owasp.csrfguard.CsrfGuardServletContextListener failed: java.lang.RuntimeException: java.lang.NullPointerException.
java.lang.RuntimeException: java.lang.NullPointerException
at org.owasp.csrfguard.CsrfGuardServletContextListener.contextInitialized(CsrfGuardServletContextListener.java:40)
at weblogic.servlet.internal.EventsManager$FireContextListenerAction.run(EventsManager.java:582)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)
at weblogic.servlet.internal.EventsManager.executeContextListener(EventsManager.java:233)
at weblogic.servlet.internal.EventsManager.notifyContextCreatedEvent(EventsManager.java:190)
at weblogic.servlet.internal.EventsManager.notifyContextCreatedEvent(EventsManager.java:175)
at weblogic.servlet.internal.WebAppServletContext.preloadResources(WebAppServletContext.java:1730)
at weblogic.servlet.internal.WebAppServletContext.start(WebAppServletContext.java:2740)
at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1704)
at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:781)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:213)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:208)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:35)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:70)
at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:212)
at weblogic.application.internal.ExtensibleModuleWrapper.start(ExtensibleModuleWrapper.java:111)
at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:124)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:213)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:208)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:35)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:70)
at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:24)
at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:729)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:35)
at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:258)
at weblogic.application.internal.SingleModuleDeployment.activate(SingleModuleDeployment.java:48)
at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:165)
at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
at weblogic.deploy.internal.targetserver.operations.AbstractOperation.activate(AbstractOperation.java:582)
at weblogic.deploy.internal.targetserver.operations.ActivateOperation.activateDeployment(ActivateOperation.java:148)
at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doCommit(ActivateOperation.java:114)
at weblogic.deploy.internal.targetserver.operations.AbstractOperation.commit(AbstractOperation.java:335)
at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentCommit(DeploymentManager.java:844)
at weblogic.deploy.internal.targetserver.DeploymentManager.activateDeploymentList(DeploymentManager.java:1253)
at weblogic.deploy.internal.targetserver.DeploymentManager.handleCommit(DeploymentManager.java:440)
at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.commit(DeploymentServiceDispatcher.java:163)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doCommitCallback(DeploymentReceiverCallbackDeliverer.java:195)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$100(DeploymentReceiverCallbackDeliverer.java:13)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$2.run(DeploymentReceiverCallbackDeliverer.java:68)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:545)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused By: java.lang.NullPointerException
at java.io.File.<init>(File.java:222)
at org.owasp.csrfguard.CsrfGuardServletContextListener.getResourceStream(CsrfGuardServletContextListener.java:67)
at org.owasp.csrfguard.CsrfGuardServletContextListener.contextInitialized(CsrfGuardServletContextListener.java:36)
at weblogic.servlet.internal.EventsManager$FireContextListenerAction.run(EventsManager.java:582)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)
at weblogic.servlet.internal.EventsManager.executeContextListener(EventsManager.java:233)
at weblogic.servlet.internal.EventsManager.notifyContextCreatedEvent(EventsManager.java:190)
at weblogic.servlet.internal.EventsManager.notifyContextCreatedEvent(EventsManager.java:175)
at weblogic.servlet.internal.WebAppServletContext.preloadResources(WebAppServletContext.java:1730)
at weblogic.servlet.internal.WebAppServletContext.start(WebAppServletContext.java:2740)
at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1704)
at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:781)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:213)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:208)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:35)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:70)
at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:212)
at weblogic.application.internal.ExtensibleModuleWrapper.start(ExtensibleModuleWrapper.java:111)
at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:124)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:213)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:208)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:35)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:70)
at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:24)
at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:729)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:35)
at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:258)
at weblogic.application.internal.SingleModuleDeployment.activate(SingleModuleDeployment.java:48)
at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:165)
at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
at weblogic.deploy.internal.targetserver.operations.AbstractOperation.activate(AbstractOperation.java:582)
at weblogic.deploy.internal.targetserver.operations.ActivateOperation.activateDeployment(ActivateOperation.java:148)
at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doCommit(ActivateOperation.java:114)
at weblogic.deploy.internal.targetserver.operations.AbstractOperation.commit(AbstractOperation.java:335)
at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentCommit(DeploymentManager.java:844)
at weblogic.deploy.internal.targetserver.DeploymentManager.activateDeploymentList(DeploymentManager.java:1253)
at weblogic.deploy.internal.targetserver.DeploymentManager.handleCommit(DeploymentManager.java:440)
at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.commit(DeploymentServiceDispatcher.java:163)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doCommitCallback(DeploymentReceiverCallbackDeliverer.java:195)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$100(DeploymentReceiverCallbackDeliverer.java:13)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$2.run(DeploymentReceiverCallbackDeliverer.java:68)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:545)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
>
我的Web.xml如下所示。
<context-param>
<param-name>paginationDefItemsPerPage</param-name>
<param-value>5</param-value>
</context-param>
<context-param>
<param-name>paginationPagesPerCache</param-name>
<param-value>2</param-value>
</context-param>
<!-- CSRF -->
<context-param>
<param-name>Owasp.CsrfGuard.Config</param-name>
<param-value>/WEB-INF/Owasp.CsrfGuard.properties</param-value>
</context-param>
<context-param>
<param-name>Owasp.CsrfGuard.Config.Print</param-name>
<param-value>true</param-value>
</context-param>
<!-- CSRF -->
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter>
<description>
Check for multipart HttpServletRequests and parse the multipart form data so that all
regular form fields are available in the parameterMap of the HttpServletRequest and that
all form file fields are available as attribute of the HttpServletRequest. The attribute
value of a form file field can be an instance of FileItem or FileUploadException.
</description>
<filter-name>multipartFilter</filter-name>
<filter-class>org.cctns.cas.state.online.filter.MultipartFilter</filter-class>
<init-param>
<description>
Sets the maximum file size of the uploaded file in bytes. Set to 0 to indicate an
unlimited file size. The example value of 1048576 indicates a maximum file size of
1MB. This parameter is not required and can be removed safely.
</description>
<param-name>maxFileSize</param-name>
<param-value>0</param-value>
</init-param>
</filter>
<filter>
<filter-name>XSS</filter-name>
<filter-class>org.cctns.cas.state.online.filter.CrossScriptingFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>multipartFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>XSS</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
/WEB-INF/applicationContext-security.xml
</param-value>
</context-param>
<filter>
<filter-name>authfilter</filter-name>
<filter-class>org.cctns.cas.state.online.filter.AuthFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>authfilter</filter-name>
<url-pattern>*.htm</url-pattern>
</filter-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>responseFilter</filter-name>
<filter-class>org.cctns.cas.state.online.filter.ResponseFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>responseFilter</filter-name>
<url-pattern>*.htm</url-pattern>
<url-pattern>*.css</url-pattern>
<url-pattern>*.js</url-pattern>
<url-pattern>*.jpg</url-pattern>
<url-pattern>*.gif</url-pattern>
<url-pattern>*.ico</url-pattern>
</filter-mapping>
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>*.htm</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<!--<servlet>
<servlet-name>SimpleCaptcha</servlet-name>
<servlet-class>nl.captcha.servlet.SimpleCaptchaServlet</servlet-class>
<servlet-class><servlet-class>nl.captcha.servlet.SimpleCaptchaServlet</servlet-class>nl.captcha.servlet.SimpleCaptchaServlet</servlet-class>
</servlet>-->
<servlet>
<servlet-name>SimpleCaptchaServlet</servlet-name>
<servlet-class>org.cctns.cas.state.online.login.spring.SimpleCaptchaServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SimpleCaptchaServlet</servlet-name>
<url-pattern>/simpleCaptcha.jpg</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>*.htm</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>JavaScriptServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
<init-param>
<param-name>source-file</param-name>
<param-value>/WEB-INF/Owasp.CsrfGuard.js</param-value>
</init-param>
<init-param>
<param-name>inject-into-forms</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>inject-into-attributes</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>domain-strict</param-name>
<param-value>true</param-value>
</init-param>
<!--<init-param>
<param-name>referer-pattern</param-name>
<param-value>http://localhost:8080.*</param-value>
</init-param>-->
<init-param>
<param-name>x-requested-with</param-name>
<param-value>OWASP CSRFGuard Project</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>JavaScriptServlet</servlet-name>
<url-pattern>/JavaScriptServlet</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
20
</session-timeout>
</session-config>
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
<listener>
<listener-class>
org.cctns.cas.state.online.login.spring.SessionTimeOutController
</listener-class>
</listener>
<!-- CSRF -->
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
</listener>
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
</listener>
<!-- CSRF -->
<welcome-file-list>
<welcome-file>redirect.jsp</welcome-file>
</welcome-file-list>
<error-page>
<error-code>404</error-code>
<location>/errors/404.htm</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/errors/500.htm</location>
</error-page>
<security-constraint>
<display-name>RestrictedRequests</display-name>
<web-resource-collection>
<web-resource-name>RestrictedRequests</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
</web-app>
CSRFGuard的jar文件是csrfguard.jar