如何禁用对JSP页面的GET请求? [英] How to disable GET requests to JSP page?
问题描述
我正在修复一些旧的缺陷,并且作为一个缺陷的一部分,我需要确保某些请求仅是POST到JSP页面,而不是GET请求.该应用程序具有将数据提交到另一个JSP页面的表单(我知道它是错误的,并且针对MVC,但为时已晚,无法修复),因为它是一个JSP页面,因此我们可以发布请求,也可以获取请求.如果是恶意用户,可以从浏览器(如http://host:80/somejsp.jsp?param=value¶m=value
等)读取表格并以GET形式发送请求.在这种情况下,它将成为违规行为.我需要确保未处理此类GET请求.一种方法是在jsp页面中执行以下步骤-
I am fixing some old defects and as part of one defect, I need to make sure that some requests are being only POST to the JSP page instead of a GET request. The application have a form which submits data to another JSP page (I know its wrong and against MVC but too late to fix it), since it is a JSP page, so we can POST the request or else we can GET the request. In case of a malicious user, can read the form and send the request as a GET from the browser like http://host:80/somejsp.jsp?param=value¶m=value
etc. In that case, it becomes a violation. I need to make sure that such GET requests are not processed. One way to do is to perform the below steps in the jsp page -
if (request.getMethod().equals("GET")) {
// reroute the user as it is not a valid req
}
还有其他方法吗?
推荐答案
两种解决方案:
-
在
*.jsp
的<url-pattern>
和GET
的<http-method>
上添加带有空<auth-constraint>
的<security-constraint>
,这将阻止对所有人的JSP文件上的GET
请求(如麦克道尔):
Add a
<security-constraint>
with an empty<auth-constraint>
on an<url-pattern>
of*.jsp
and<http-method>
ofGET
which will blockGET
requests on JSP files to everyone (as suggested by McDowell):
<security-constraint>
<display-name>Restrict GET requests on JSP files</display-name>
<web-resource-collection>
<web-resource-name>JSP files</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
创建一个Filter
,该Filter
侦听*.jsp
的<url-pattern>
,并基本上在doFilter()
方法中执行以下操作.
Create a Filter
which listens on an <url-pattern>
of *.jsp
and does basically the following in the doFilter()
method.
if (((HttpServletRequest) request).getMethod().equals("GET")) {
((HttpServletResponse) response).sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
} else {
chain.doFilter(request, response);
}
无需在所有JSP页面上粘贴相同的内容,因为这只会导致IllegalStateException: response already committed
错误.
No need to copypaste the same over all JSP pages which would only be prone to IllegalStateException: response already committed
errors.
这篇关于如何禁用对JSP页面的GET请求?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!