解决思路:
一、编写filter拦截可能会产生CSRF漏洞的filter
import java.io.IOException;
import java.util.List;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.fileupload.FileItem;
import org.apache.commons.fileupload.FileUploadException;
import org.apache.commons.fileupload.disk.DiskFileItemFactory;
import org.apache.commons.fileupload.servlet.ServletFileUpload;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
//20160216 修复CSRF漏洞
public class CSRFFilter implements Filter{
protected final Logger logger = LoggerFactory.getLogger(super.getClass());
@Override
public void destroy() {
// TODO Auto-generated method stub
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
// TODO Auto-generated method stub
HttpServletRequest httpReq = (HttpServletRequest) request;
String uri = httpReq.getRequestURI();
logger.info("uri: " + uri);
if(uri.contains("要拦截的路由")){
DiskFileItemFactory fac = new DiskFileItemFactory();
ServletFileUpload upload = new ServletFileUpload(fac);
//upload.setHeaderEncoding("utf-8");
List fileList = null;
try {
fileList = upload.parseRequest(httpReq);
} catch (FileUploadException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
String random_form = ((FileItem)fileList.get(0)).getString(); //获取directory参数
//MultipartHttpServletRequest multiRequest = (MultipartHttpServletRequest)(request);
//String random_form=(String)httpReq.getAttribute("random_form"); //行不通
String random_session=(String)httpReq.getSession().getAttribute("random_session_form");
logger.info("random_form:"+random_form);
logger.info("random_session:"+random_session);
httpReq.getSession().removeAttribute("random_session_form");
if(random_form!=null&&random_session!=null&&random_form.equalsIgnoreCase(random_session)){
chain.doFilter(request, response);
}else{
throw new ServletException("Potential CSRF detected!!");
}
}else{
chain.doFilter(request, response);
}
}
@Override
public void init(FilterConfig arg0) throws ServletException {
// TODO Auto-generated method stub
}
}
这样会带来问题:springMVC过滤器过滤文件上传,获取参数为空
原因:form属性enctype=”multipart/form-data”时,参数是以流的形式传递给服务端的,filter在spring还没有解释请求时就拦截了。在这获取参数的话要自己根据分隔符解释流。我改用spring的拦截器实现转发请求了。
参考文章:http://www.oschina.net/question/140462_112950?sort=time
http://www.oschina.net/code/explore/cos/multipart/MultipartParser.java
二、采用拦截器
注意:使用
<mvc:annotation-driven />
时,其实它已经注册了一个DefaultAnnotationHandlerMapping ,而后面你自己注册的
<bean class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping">
<property name="interceptors">
<list>
<ref bean="basedAccessInterceptor"/>
</list>
</property>
</bean>
优先级没它内部的高,所以一直都不会调用你注册的拦截器。
所以要通过:mvc:interceptors
标签单独添加拦截器(spring论坛也有讨论:
http://forum.springsource.org/showthread.php?81238-Conflict-between-lt-mvc-annotation-driven-gt-and-DefaultAnnotationHandlerMapping
参考:
http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/mvc.html中15.12 Configuring Spring MVC)
需要在spring的配置文件中加入这段:
<!-- 自定义拦截器 -->
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/**"/>
<bean class="com.my.controller.interceptor.MyInterceptor"></bean>
</mvc:interceptor>
</mvc:interceptors>
拦截器定义:
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.fileupload.FileItem;
import org.apache.commons.fileupload.FileUploadException;
import org.apache.commons.fileupload.disk.DiskFileItemFactory;
import org.apache.commons.fileupload.servlet.ServletFileUpload;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.multipart.MultipartHttpServletRequest;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
public class CSRFInterceptor implements HandlerInterceptor{
protected final Logger logger = LoggerFactory.getLogger(super.getClass());
@Override
public void afterCompletion(HttpServletRequest arg0,
HttpServletResponse arg1, Object arg2, Exception arg3)
throws Exception {
// TODO Auto-generated method stub
}
@Override
public void postHandle(HttpServletRequest arg0, HttpServletResponse arg1,
Object arg2, ModelAndView arg3) throws Exception {
// TODO Auto-generated method stub
}
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response,
Object o) throws Exception {
// TODO Auto-generated method stub
boolean flag = true;
String uri = request.getRequestURI();
logger.info("CSRFInterceptor uri: " + uri);
if(uri.contains("要拦截的路由")){
DiskFileItemFactory fac = new DiskFileItemFactory();
ServletFileUpload upload = new ServletFileUpload(fac);
upload.setHeaderEncoding("utf-8");
List fileList = null;
try {
fileList = upload.parseRequest(request);
} catch (FileUploadException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
String random_form = "";
if(fileList != null && fileList.size()>0){
random_form = ((FileItem)fileList.get(0)).getString(); //获取directory参数
logger.info(" CSRFInterceptor fileList random_form:"+random_form);//获取不到
}
MultipartHttpServletRequest multiRequest = (MultipartHttpServletRequest)(request);
random_form=(String)request.getParameter("random_form);
logger.info(" CSRFInterceptor random_form 0:"+random_form);
random_form=(String)multiRequest.getParameter("random_form); //行不通
String random_session=(String)request.getSession().getAttribute("random_session_form");
logger.info(" CSRFInterceptor random_form:"+random_form);
logger.info(" CSRFInterceptor random_session:"+random_session);
request.getSession().removeAttribute("random_session_form");
if(random_form!=null&&random_session!=null&&random_form.equalsIgnoreCase(random_session)){
flag = true;
}else{
flag = false;
}
}
return flag;
}
}
执行正常 但是仍被扫描出存在CSRF漏洞 不明白为什么????