使用struts令牌的跨站点请求防伪 [英] Cross-site request forgery prevention using struts token

问题描述

我想为我的web应用程序实现跨站点请求防止的基于struts 1.x框架。
我知道struts 2框架为此提供令牌拦截器，我可以使用过滤器实现类似的功能。

I want to implement Cross-site request forgery prevention for my web application which is base on struts 1.x framework. I know that struts 2 framework provide token interceptor for this and I can implement similar functionality using filters.

我有点困惑几个想法
1）我如何能够以直接的方式生成独特的令牌？ （我可以为此目的使用Action类令牌，用于避免重复的表单提交）

I am bit confuse about few thinks 1 ) how I can generate unique token with straightforward way ? (can I use Action class token for this purpose which is use for avoiding duplicate form submission)

使用struts 1.x框架令牌机制进行CSRF预防时有任何问题

Are there any issue in using struts 1.x framework token mechanism for CSRF Prevention

推荐答案

Struts 1 Action标记方法像Struts 2标记拦截器一样工作，它在表单提交，但它是一个更多的手动过程。基本工作流程是：

The Struts 1 Action token methods work like the Struts 2 token interceptor in that it will add a token to your session and check it on form submission, but it is a much more manual process. The basic workflow is:

1. 用户通过Struts动作（而不是直接到JSP）获取表单。


2. 在JSP上的表单必须使用以下格式：

1. The user gets to the form through a Struts Action (not directly to the JSP). The Struts Action will call saveToken(request) before forwarding onto the JSP that contains the form.
2. The form on the JSP must use the <html:form> tag.
3. Your Action that the form submits to will first call isTokenValid(request, true), and you should redirect back to the first Action with an error message if it returns false. This also resets the token for the next request.

这样做不仅可以防止重复提交表单，先Struts Action并获得一个会话，然后才能提交给第二个Struts Action提交表单。由于网站无法为其他网站设置会话，因此应避免使用CSRF。

Doing this will not only prevent duplicate form submissions but any script will have to hit the first Struts Action and get a session before it can submit to the second Struts Action to submit the form. Since a site can't set a session for another site, this should prevent CSRF.

如果您通常将用户直接发送到JSP，请勿。而是创建一个继承自 ActionForward 的新类，并将其设置为 execute（）方法：

If you usually send users directly to your JSP, don't. Instead, create a new class inheriting from ActionForward and set this as it's execute() method:

public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response)  throws Exception {
    saveToken(request);
    return super.execute(mapping, form, request, response);
}

这篇关于使用struts令牌的跨站点请求防伪的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！