如何禁用对JSP页面的GET请求? [英] How to disable GET requests to JSP page?

问题描述

我正在修复一些旧的缺陷，并且作为一个缺陷的一部分，我需要确保某些请求仅是POST到JSP页面，而不是GET请求.该应用程序具有将数据提交到另一个JSP页面的表单(我知道它是错误的，并且针对MVC，但为时已晚，无法修复)，因为它是一个JSP页面，因此我们可以发布请求，也可以获取请求.如果是恶意用户，可以从浏览器(如http://host:80/somejsp.jsp?param=value&param=value等)读取表格并以GET形式发送请求.在这种情况下，它将成为违规行为.我需要确保未处理此类GET请求.一种方法是在jsp页面中执行以下步骤-

I am fixing some old defects and as part of one defect, I need to make sure that some requests are being only POST to the JSP page instead of a GET request. The application have a form which submits data to another JSP page (I know its wrong and against MVC but too late to fix it), since it is a JSP page, so we can POST the request or else we can GET the request. In case of a malicious user, can read the form and send the request as a GET from the browser like http://host:80/somejsp.jsp?param=value&param=value etc. In that case, it becomes a violation. I need to make sure that such GET requests are not processed. One way to do is to perform the below steps in the jsp page -

if (request.getMethod().equals("GET")) {
   // reroute the user as it is not a valid req
}

还有其他方法吗?

推荐答案

两种解决方案:

1. 在*.jsp的<url-pattern>和GET的<http-method>上添加带有空<auth-constraint>的<security-constraint>，这将阻止对所有人的JSP文件上的GET请求(如麦克道尔):

1. Add a <security-constraint> with an empty <auth-constraint> on an <url-pattern> of *.jsp and <http-method> of GET which will block GET requests on JSP files to everyone (as suggested by McDowell):

<security-constraint>
    <display-name>Restrict GET requests on JSP files</display-name>
    <web-resource-collection>
        <web-resource-name>JSP files</web-resource-name>
        <url-pattern>*.jsp</url-pattern>
        <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint />
</security-constraint> 

创建一个Filter，该Filter侦听*.jsp的<url-pattern>，并基本上在doFilter()方法中执行以下操作.

Create a Filter which listens on an <url-pattern> of *.jsp and does basically the following in the doFilter() method.

if (((HttpServletRequest) request).getMethod().equals("GET")) {
    ((HttpServletResponse) response).sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
} else {
    chain.doFilter(request, response);
}

无需在所有JSP页面上粘贴相同的内容，因为这只会导致IllegalStateException: response already committed错误.

No need to copypaste the same over all JSP pages which would only be prone to IllegalStateException: response already committed errors.

这篇关于如何禁用对JSP页面的GET请求?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！