如何在JSF-Spring集成应用程序中启用CSRF保护 [英] How to enable CSRF protection in JSF-Spring integrated application
问题描述
我有一个JSF-Spring集成应用程序. Spring Security也集成在此应用程序中.这些是我的应用程序中的版本:
I have a JSF-Spring integrated application. Spring security is also integrated in this application. These are the versions in my application:
- JSF 2.2
- 春季4.0.3.发布
- Spring Security 3.2.4.发布
根据 JSF doc JSF2.x(甚至旧版本)中的所有POST请求都将受CSRF保护.但是我可以通过CSRF攻击渗透我的应用程序.
As per the JSF doc all the POST request in JSF2.x [or even old versions] will be CSRF protected. However I am able to penetrate my application with CSRF attack.
我尝试了另一个仅JSF2.2的[no Spring]示例应用程序,在这种情况下,我可以看到此示例应用程序受CSRF保护.
I tried a different JSF2.2 only [no Spring] example application, in that case I can see this example application is CSRF protected.
所以我的理解是,JSF/Spring/Spring安全组合在我的原始应用程序中出现了问题. 不幸的是,日志文件中没有任何帮助信息.
So my understanding is, the JSF/Spring /Spring security combination is giving issue in my original application. Unfortunately there is no helping info from the log files.
我可以尝试使用 Spring Security CSRF保护.在那种情况下,挑战在于我需要在所有POST情况下都编辑代码.
I can try with the Spring Security CSRF protection. In that case the challenge is I need to edit the code in all POST cases.
我正在寻求启用JSF CSRF保护以避免此代码更改.有什么建议吗?
I am looking to enable JSF CSRF protection to avoid this code change. Any suggestion?
我正在使用皮纳塔进行测试.
推荐答案
经过Spring 4.3.7和Spring Security 4.2.2的测试.
您需要将CSRF令牌添加到应用程序中的每个form
. 任何PATCH, POST,PUT和DELETE 将受Spring安全性保护(用于基本动词).
为了避免在每个表单中手动插入隐藏的输入,您可以在提供的表单之上创建一个FormRenderer:
You need to add a CSRF token to every form
in your application. Any PATCH, POST, PUT and DELETE will be protected by Spring security (for the basic verbs).
To avoid inserting a hidden input in every form manually you can create a FormRenderer on top of the provided one :
import com.sun.faces.renderkit.html_basic.FormRenderer;
import javax.el.ELContext;
import javax.el.ExpressionFactory;
import javax.faces.component.UIComponent;
import javax.faces.context.FacesContext;
import javax.faces.context.ResponseWriter;
import java.io.IOException;
public class FormWithCSRFRenderer extends FormRenderer {
@Override
public void encodeEnd(FacesContext context, UIComponent component) throws IOException {
log.debug("FormWithCSRFRenderer - Adding CSRF Token to form element");
ELContext elContext = context.getELContext();
ExpressionFactory expFactory = context.getApplication().getExpressionFactory();
ResponseWriter writer = context.getResponseWriter();
writer.startElement("input", component);
writer.writeAttribute("type", "hidden", null);
writer.writeAttribute("name", expFactory.createValueExpression(elContext, "${_csrf.parameterName}", String.class).getValue(elContext), null);
writer.writeAttribute("value", expFactory.createValueExpression(elContext, "${_csrf.token}", String.class).getValue(elContext), null);
writer.endElement("input");
writer.write("\n");
super.encodeEnd(context, component);
}
}
然后通过在faces-config.xml
中进行设置来注册它以覆盖FormRenderer:
Then register it to override the FormRenderer by setting it in faces-config.xml
:
<?xml version="1.0" encoding="UTF-8"?>
<faces-config xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-facesconfig_2_2.xsd"
version="2.2">
<render-kit>
<renderer>
<component-family>javax.faces.Form</component-family>
<renderer-type>javax.faces.Form</renderer-type>
<renderer-class>com.acme.FormWithCSRFRenderer</renderer-class>
</renderer>
</render-kit>
</faces-config>
也不要忘记在您的spring上下文中启用CSRF:
Also don't forget to enable CSRF in your spring context :
<security:http auto-config="true" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint"
use-expressions="true">
<security:csrf/>
<security:access-denied-handler error-page="/exception/accessDenied.xhtml"/>
<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMINISTRATOR','ROLE_GUEST')"/>
<security:intercept-url pattern="/exception/accessDenied.xhtml" access="permitAll"/>
</security:http>
对于AJAX调用,您还需要将此令牌添加到任何受保护的HTTP动词的数据中.您可以直接从DOM中检索令牌.
For your AJAX calls, you will also need to add this token in the data of any protected HTTP Verb. You can retrieve the token directly from the DOM.
这篇关于如何在JSF-Spring集成应用程序中启用CSRF保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!