防止点击劫持攻击

时间:2017-12-08 11:41:34

标签: java apache maven vaadin clickjacking

目前,我正在开展一个vaadin项目,我正致力于防止对项目的点击攻击。在搜索解决方案后,我发现在web.xml中添加以下代码段可行:

<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    <init-param>
        <param-name>antiClickJackingEnabled</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>antiClickJackingOption</param-name>
        <param-value>SAMEORIGIN</param-value>
    </init-param>
</filter>
<filter-mapping> 
    <filter-name>httpHeaderSecurity</filter-name> 
    <url-pattern>/*</url-pattern>
</filter-mapping>

我在pom.xml中添加了以下依赖项:

<dependency>
    <groupId>org.apache.tomcat</groupId>
    <artifactId>tomcat-catalina</artifactId>
    <version>9.0.2</version>
</dependency>

我在payara服务器上运行该项目。

项目运行但抛出以下错误:

  

引起:java.lang.ClassNotFoundException:   未找到org.apache.catalina.filters.HttpHeaderSecurityFilter   org.glassfish.main.web.core [69] at   org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1532)     在   org.apache.felix.framework.BundleWiringImpl.access $ 400(BundleWiringImpl.java:75)     在   org.apache.felix.framework.BundleWiringImpl $ BundleClassLoader.loadClass(BundleWiringImpl.java:1955)     在java.lang.ClassLoader.loadClass(ClassLoader.java:357)at   org.apache.catalina.core.ApplicationFilterConfig.loadFilterClass(ApplicationFilterConfig.java:283)     在   org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:253)     在   org.apache.catalina.core.ApplicationFilterConfig。(ApplicationFilterConfig.java:123)     ......还有50个

这意味着我的防止点击劫持攻击的解决方案无法工作:)

任何帮助将不胜感激:)。

1 个答案:

答案 0 :(得分:0)

我已使用web.xml以下列方式解决了这个问题:

首先创建了以下过滤器:

public class ClickjackingPreventionFilter implements Filter
{
    private String mode = "DENY";

// Add X-FRAME-OPTIONS response header to tell any other browsers who   not to display this //content in a frame.
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse res = (HttpServletResponse)response;
        res.addHeader("X-FRAME-OPTIONS", mode );
        chain.doFilter(request, response);
    }
    @Override
    public void destroy() {
    }

    @Override
    public void init(FilterConfig filterConfig) {
        String configMode = filterConfig.getInitParameter("mode");
        if ( configMode != null ) {
            mode = configMode;
        }
    }
}

然后将其配置为web.xml,如下所示:

<filter>
    <filter-name>ClickjackPreventionFilterDeny</filter-name>
    <filter-class>com.groupbuilder.preventclickjacking.ClickjackingPreventionFilter</filter-class>
    <init-param>
        <param-name>mode</param-name><param-value>DENY</param-value></init-param>
</filter>
<filter-mapping>
        <filter-name>ClickjackPreventionFilterDeny</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
相关问题
最新问题