基于Spring MVC安全令牌的身份验证 [英] Spring MVC Security Token based Authentication
问题描述
有人可以帮我吗?
我已被分配来保护现有Web应用程序的安全。
Can anyone please help me in this. I have been assigned to secure an existing web application.
问题:
,当用户已经登录到应用程序(表示会话处于活动状态)时,攻击者可以猜测输入字段并保存url并创建一个相似的页面并发送一个超级链接。如果用户单击该链接,它将不会使用javascript,而是会点击spring控制器。由于会话处于活动状态,因此会将攻击者的数据保存到数据库中。
Issue: when a user already logs into the application (that means the session is active), at that time an attacker can guess the input fields and save url and create a similar page and send a hyper link. If the user clicks on that link, it will not go through javascript, rather it will hit the spring controller. Since the session is active, it will save the attackers data into the database.
这是我们现在使用的东西。
1)Spring Security
Here is what we are using now. 1) Spring Security
<http auto-config="true">
<intercept-url pattern="/**" access="ROLE_ADMIN, ROLE_HR" />
<custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
</http>
<beans:bean id="siteminderFilter" class="com.mywbsite.security.UserFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="continueFilterChainOnUnsuccessfulAuthentication" value="false"/>
</beans:bean>
当用户首次登录应用程序时调用此方法
This method is called when user logs into the application first time
protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
String userId = request.getHeader("uid");
logger.info("<<<<<<<<<<<<<<<<<<<<<userId>>>>>>>>>>>>>>>>>>>>>>> : "+userId);
return userId;
}
当用户执行任何可调用任何控制器/ java的操作时,将调用此方法
This method is called when user does anything which calls any controller/java
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
System.out.println(request.getParameter(BaseConstants.DV_USER_SESSION_IDENTIFIER));
logger.info(request.getParameter(BaseConstants.DV_USER_SESSION_IDENTIFIER));
logger.info("Existing the UserFilter.doFilter method...");
}
解决方案:
在控制器/过滤器中,我必须确定是否请求是来自我的应用程序还是来自其他任何地方。
Solution: In controller/filter I have to identify if the request is coming from my application or from anywhere else.
这就是我要实现的目标。
Here is what I am thinking to implement.
- 在getPreAuthenticatedPrincipal()方法中创建一个随机令牌,并将其存储在会话中。
- 从会话中获取变量,并将其放入jsp中的隐藏变量
- 用户执行任何操作时,将带有值的隐藏变量传递给控制器,并作为请求参数传递给控制器。
- 在Controller / Filter中,从会话中获取随机值并获取请求参数的隐藏值。现在比较。如果匹配,则执行正常操作,否则抛出错误页面。
- Create a random token inside getPreAuthenticatedPrincipal() method and store that in session.
- Get the variable from session and put in a hidden variable in jsp
- When user does any action, pass the hidden variable with value and pass to controller as request parameter.
- In Controller/Filter get the random value from session and get the hidden value from request parameter. Now compare. If it matches, then do normal operation, else throw error page.
现在,我担心的是如果实现上述解决方案,我有在每个jsp中编写隐藏的变量代码,并在每个请求和请求参数中传递给控制器。
Now my concern is if I implement the above solution, I have to write hidden variable code in every jsp and pass to controller in each request and request parameter.
请帮我简化一下。预先感谢
Can you please help me how to make it easy. Thanks in advance
推荐答案
我通过使用 Spring CSRF 。实施CSRF时遇到一个问题。问题是CSRF正在创建2个令牌。找到根源花费了很长时间(至少1天)。根本原因是我试图在我的Fiter中获取csrf令牌值,并使用以下代码进行打印。因此,一旦我写了request.getAttribute( _ csrf),它就会创建一个新令牌。因此,我只是从csrf中删除了以下几行,并按照上述spring csrf链接中的描述进行了操作。
I resolved the above issue by using Spring CSRF. I faced an issue while implementing CSRF. The issue was CSRF was creating 2 tokens. It took long time (at least 1 day) to find the root cause. The root cases was I was trying to get the csrf token value in my Fiter and print it using below code. So once I wrtie the request.getAttribute("_csrf"), it creats a new token. So I just delted the below lines from my csrf and just did what it was described in above spring csrf link. It worked
// CsrfToken token = (CsrfToken) request.getAttribute("_csrf");
// System.out.println(">>>>>>>>>>UserFilter.getPreAuthenticatedPrincipal() CSRF Token: " + token.getToken());
这篇关于基于Spring MVC安全令牌的身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
