Java 使用 struts 令牌防止跨站点请求伪造
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4303635/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Cross-site request forgery prevention using struts token
提问by Niraj Sonawane
I want to implement Cross-site request forgery prevention for my web application which is base on struts 1.x framework. I know that struts 2 framework provide token interceptor for this and I can implement similar functionality using filters.
我想为我的基于 struts 1.x 框架的 web 应用程序实现跨站点请求伪造预防。我知道 struts 2 框架为此提供了令牌拦截器,我可以使用过滤器实现类似的功能。
I am bit confuse about few thinks 1 ) how I can generate unique token with straightforward way ? (can I use Action class token for this purpose which is use for avoiding duplicate form submission)
我对很少有人认为有点困惑 1) 如何以简单的方式生成唯一的令牌?(我可以为此目的使用 Action 类令牌,用于避免重复提交表单)
Are there any issue in using struts 1.x framework token mechanism for CSRF Prevention
使用 struts 1.x 框架令牌机制进行 CSRF 预防是否有任何问题
采纳答案by Joseph Erickson
The Struts 1 Action token methods work like the Struts 2 token interceptor in that it will add a token to your session and check it on form submission, but it is a much more manual process. The basic workflow is:
Struts 1 Action 令牌方法的工作方式类似于 Struts 2 令牌拦截器,因为它将向您的会话添加一个令牌并在表单提交时检查它,但它是一个更加手动的过程。基本工作流程是:
- The user gets to the form through a Struts Action (not directly to the JSP). The Struts Action will call
saveToken(request)before forwarding onto the JSP that contains the form. - The form on the JSP must use the
<html:form>tag. - Your Action that the form submits to will first call
isTokenValid(request, true), and you should redirect back to the first Action with an error message if it returnsfalse. This also resets the token for the next request.
- 用户通过 Struts Action 访问表单(而不是直接访问 JSP)。Struts Action 将
saveToken(request)在转发到包含表单的 JSP 之前调用。 - JSP 上的表单必须使用
<html:form>标记。 - 表单提交到的 Action 将首先调用
isTokenValid(request, true),如果它返回,您应该重定向回带有错误消息的第一个 Actionfalse。这也会为下一个请求重置令牌。
Doing this will not only prevent duplicate form submissions but any script will have to hit the first Struts Action and get a session before it can submit to the second Struts Action to submit the form. Since a site can't set a session for another site, this should prevent CSRF.
这样做不仅可以防止重复提交表单,而且任何脚本都必须点击第一个 Struts Action 并获得会话,然后才能提交到第二个 Struts Action 以提交表单。由于站点无法为另一个站点设置会话,因此这应该可以防止 CSRF。
If you usually send users directly to your JSP, don't. Instead, create a new class inheriting from ActionForwardand set this as it's execute()method:
如果您通常将用户直接发送到您的 JSP,请不要这样做。相反,创建一个继承自的新类ActionForward并将其设置为它的execute()方法:
public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception {
saveToken(request);
return super.execute(mapping, form, request, response);
}
