HOWTO做CSRF保护Struts2的应用AJAX请求 [英] HOWTO do CSRF protection in Struts2 application for AJAX requests

问题描述

我有一个Struts2的Web应用程序中，我需要实现CSRF保护。对于统计的形成是pretty的直线前进。我只需要激活 tokenSession 拦截器和放大器;然后设置＆LT; S：令牌/＆GT; 的形式提交。 （解释这里和<一href="http://web.securityinnovation.com/appsec-weekly/blog/bid/84318/Cross-Site-Request-Forgery-CSRF-$p$pvention-Using-Struts-2"相对=nofollow>这里）

I have a struts2 webapp in which I need to implement CSRF protection. For statis forms it is pretty straight forward. I just need to activate the tokenSession interceptor & then set <s:token/> in the form to be submitted. (explained here and here)

但是，当我需要启用POST AJAX调用（我使用jQuery），这不一定是通过形式提交CSRF保护的问题出现。我做后续的AJAX调用时面临重新使用令牌的问题。

But the problem appears when I need to enable CSRF protection for POST AJAX calls (I am using jQuery) which are not necessarily submitted via forms. I face the issue of re-using token when making subsequent AJAX calls.

任何指针或不同的方法AP preciated。

Any pointers or different approaches are appreciated.

推荐答案

目前我已经通过生成令牌AJAX请求，并与像这样的正常响应发送它解决了这个问题 -

Currently I have resolved the issue by generating tokens for AJAX requests and sending it with the normal response like so -

    Map<String, String> tokenInfo = Maps.newHashMap();
    tokenInfo.put("struts.token.name", TokenHelper.getTokenName());
    tokenInfo.put(TokenHelper.getTokenName(), TokenHelper.setToken());

我会抽象出​​一个util的方法摆脱这种＆功放;具有是令牌激活返回此作为响应的量将反复未经页面刷新执行的动作的一部分的操作。

I will abstract out a util method out of this & have the Actions that are token-activated to return this as part of response for actions which will be executed repeatedly without refresh of the page.

我仍然在寻找一个完美的解决方案，以这虽然。

I am still looking for an elegant solution to this though.

这篇关于HOWTO做CSRF保护Struts2的应用AJAX请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！