防止点击劫持攻击 [英] Preventing clickjacking attack
问题描述
当前,我正在一个vaadin项目中,正在努力防止对该项目的点击劫持攻击.搜索解决方案后,我发现可以在web.xml中添加以下代码段:
Currently, I'm working on a vaadin project where I'm working on preventing clickjacking attack on the project. After searching for the solution I've found that adding following snippet in web.xml would work:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
我在pom.xml中添加了以下依赖项:
I've added following dependency in pom.xml:
<dependency>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-catalina</artifactId>
<version>9.0.2</version>
</dependency>
我正在payara服务器上运行项目.
I'm running the project on payara server.
项目正在运行,但会引发以下错误:
The project runs but throw the following error:
由以下原因引起:java.lang.ClassNotFoundException:找不到org.apache.catalina.filters.HttpHeaderSecurityFilterorg.glassfish.main.web.core [69]位于org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1532)在org.apache.felix.framework.BundleWiringImpl.access $ 400(BundleWiringImpl.java:75)在org.apache.felix.framework.BundleWiringImpl $ BundleClassLoader.loadClass(BundleWiringImpl.java:1955)在java.lang.ClassLoader.loadClass(ClassLoader.java:357)在org.apache.catalina.core.ApplicationFilterConfig.loadFilterClass(ApplicationFilterConfig.java:283)在org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:253)在org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:123)...另外50个
Caused by: java.lang.ClassNotFoundException: org.apache.catalina.filters.HttpHeaderSecurityFilter not found by org.glassfish.main.web.core [69] at org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1532) at org.apache.felix.framework.BundleWiringImpl.access$400(BundleWiringImpl.java:75) at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:1955) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) at org.apache.catalina.core.ApplicationFilterConfig.loadFilterClass(ApplicationFilterConfig.java:283) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:253) at org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:123) ... 50 more
这意味着我用于防止点击劫持攻击的解决方案无效:)
Which means my solution for preventing clickjacking attack won't work :)
任何帮助将不胜感激:).
Any help will be appreciated :).
推荐答案
我已经使用web.xml通过以下方式解决了这个问题:
I've solved this in the following way using web.xml:
首先创建以下过滤器:
public class ClickjackingPreventionFilter implements Filter
{
private String mode = "DENY";
// Add X-FRAME-OPTIONS response header to tell any other browsers who not to display this //content in a frame.
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletResponse res = (HttpServletResponse)response;
res.addHeader("X-FRAME-OPTIONS", mode );
chain.doFilter(request, response);
}
@Override
public void destroy() {
}
@Override
public void init(FilterConfig filterConfig) {
String configMode = filterConfig.getInitParameter("mode");
if ( configMode != null ) {
mode = configMode;
}
}
}
然后将其配置为web.xml,如下所示:
Then configured that into web.xml like the following:
<filter>
<filter-name>ClickjackPreventionFilterDeny</filter-name>
<filter-class>com.groupbuilder.preventclickjacking.ClickjackingPreventionFilter</filter-class>
<init-param>
<param-name>mode</param-name><param-value>DENY</param-value></init-param>
</filter>
<filter-mapping>
<filter-name>ClickjackPreventionFilterDeny</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
这篇关于防止点击劫持攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!