将CSRF令牌添加到所有FORM提交中 [英] Add CSRF token to all the FORM submissions

问题描述

我最近在Web应用程序中启用了CSRF保护。大约有100多个JSP页面包含FORM提交。添加CSRF令牌的最佳方法是什么：

I recently enabled CSRF protection in my web Application. There are around 100+ JSP pages containing FORM submission. What is the best way adding CSRF token :

<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/> 

这样所有表单提交都将具有此表单数据。我不想将此参数添加到每个单独的FORM提交中。

such that all the form submission will have this form data. I don't want to add this parameter to every individual FORM submit.

推荐答案

所以我终于找到了一个可行的解决方案。基本上，我会像这样创建自定义FormRenderer：

So I've finally found a working solution. Basically I create a custom FormRenderer like this :

import com.sun.faces.renderkit.html_basic.FormRenderer;

import javax.el.ELContext;
import javax.el.ExpressionFactory;
import javax.faces.component.UIComponent;
import javax.faces.context.FacesContext;
import javax.faces.context.ResponseWriter;
import java.io.IOException;

public class FormWithCSRFRenderer extends FormRenderer {

    @Override
    public void encodeEnd(FacesContext context, UIComponent component) throws IOException {
        log.debug("FormWithCSRFRenderer - Adding CSRF Token to form element");
        ELContext elContext = context.getELContext();
        ExpressionFactory expFactory = context.getApplication().getExpressionFactory();

        ResponseWriter writer = context.getResponseWriter();
        writer.startElement("input", component);
        writer.writeAttribute("type", "hidden", null);
        writer.writeAttribute("name", expFactory.createValueExpression(elContext, "${_csrf.parameterName}", String.class).getValue(elContext), null);
        writer.writeAttribute("value", expFactory.createValueExpression(elContext, "${_csrf.token}", String.class).getValue(elContext), null);
        writer.endElement("input");
        writer.write("\n");
        super.encodeEnd(context, component);
    }
}

然后注册它以覆盖FormRenderer faces-config.xml ：

Then register it to override the FormRenderer by setting it in faces-config.xml :

<?xml version="1.0" encoding="UTF-8"?>
<faces-config xmlns="http://xmlns.jcp.org/xml/ns/javaee"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-facesconfig_2_2.xsd"
              version="2.2">
    <render-kit>
        <renderer>
            <component-family>javax.faces.Form</component-family>
            <renderer-type>javax.faces.Form</renderer-type>
            <renderer-class>com.acme.FormWithCSRFRenderer</renderer-class>
        </renderer>
    </render-kit>
</faces-config>

我尝试创建一个组件，然后将其添加为子组件，但不允许我设置输入的名称正确无误，因此我直接将其编写。

I've tried to create a Component then add it as children but it wouldn't let me set the name of the input correctly so I directly write it.

这篇关于将CSRF令牌添加到所有FORM提交中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！