Struts2令牌拦截器:CSRF保护 [英] Struts2 token interceptor: CSRF protection
问题描述
我试图通过使用struts令牌拦截器来保护我的Web应用程序免受CSRF攻击。
I am trying to protect my web application from CSRF attacks by using struts token interceptor.
我现在遇到的问题是我们的JSP页面不止一个调用服务器(虽然JSP被转换为JS,但是一个struts令牌被添加到JS.But中,这个JS中有多个Ajax请求。我希望我自己清楚。),因为令牌拦截器只有第一次请求到服务器才得到验证。其他请求变得无效,因为struts令牌在每次验证后都会重置。
The problem I am facing right now is our JSP pages makes more than one call to server (While JSP is converted to JS a struts token is added to JS.But in this JS there are multiple Ajax request. I hope I am making myself clear.), because of token interceptor only first request to the server is getting validated. Other requests are getting invalidated because struts token is reset after each validation.
我是否有办法阻止Struts在每次验证时重置令牌?
是否有任何其他解决方案来处理struts拦截器。
Is there a way I stop Struts from resetting the token every time it validates? IS there any other solutions to handle this in struts interceptor.
我也在寻找 tomcatcsrfprotection 模块,我想我也会在这里遇到同样的问题。
I am also looking at tomcatcsrfprotection module, I guess I will end up with same problem here also.
managepage.jsp :
managepage.jsp:
<s:token />
<script type="text/javascript">
var strutsToken = "<s:property value="#session['struts.tokens.token']" />";
var requestParams = {mainAction: 'loadGroups','struts.token.name': 'token' , token:strutsToken};
Ext.Ajax.request({
url: 'manageUserAccount.action',
params: Ext.urlEncode(requestParams),
disableCaching: true,
success: this.actionCallback
});
//loading widgets
var requestParams = {mainAction: 'loadusers','struts.token.name': 'token' , token:strutsToken};
Ext.Ajax.request({
url: 'manageUserAccount.action',
params: Ext.urlEncode(requestParams),
disableCaching: true,
success: this.actionCallback
});
</script>
Struts .xml :
Struts.xml:
<action name="manageUserAccountEdit" class="ManageUserAccountEditAction">
<interceptor-ref name="csrf-protection" />
<result name="success">/pages/manageUserAccount.jsp</result>
</action>
我刚刚添加了最少的代码,以便更容易理解它。
I have just added minimum code so that understanding it will be easier.
推荐答案
您可以使用我的答案中的代码无法实施Struts 2带有超链接的令牌拦截器,用于创建返回令牌的操作。您可以使用任何结果 stream 或 json 或调度程序返回一个令牌作为Ajax成功回调结果。您可以在 jQuery Ajax - 发出返回JSON值的问题中找到示例。现在,您可以使用令牌来发出Ajax请求。每次需要发出新请求时,都应调用令牌操作以获取新令牌。使用令牌作为请求的参数,并将令牌拦截器放在您的操作之前。
You can use the code in my answer for Unable to implement Struts 2 token interceptor with hyperlink to create an action that returns a token. You can use any of the results stream or json or dispatcher to return a token as a Ajax success callback result. You can find an example in jQuery Ajax - issue returning JSON value. Now you can use the token to make your Ajax requests. Each time you need to make a new request you should call a token action to get a new token. Use the token as a parameter to your request and put the token interceptor in front of your actions.
这篇关于Struts2令牌拦截器:CSRF保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
