为解决跨站点请求伪造,在Tomcat中启用CSRFPreventionFilter,如果使用中文需要在CSRFPreventionFilter前增加中文Filter防止中文乱码。
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>captcha</display-name>
<servlet>
<servlet-name>SimpleCaptcha</servlet-name>
<servlet-class>nl.captcha.servlet.SimpleCaptchaServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SimpleCaptcha</servlet-name>
<url-pattern>/simpleCaptcha.jpg</url-pattern>
</servlet-mapping>
<filter>
<filter-name>CharacterEncodingFilter</filter-name>
<filter-class>CharaterEncodingFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CharacterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CSRFPreventionFilter</filter-name>
<filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
<init-param>
<param-name>entryPoints</param-name>
<param-value>/index.jsp,/style.css,/chart.min.js,/bootstrap-icons-1.8.3/fonts/bootstrap-icons.woff2,/bootstrap-icons-1.8.3/fonts/bootstrap-icons.woff,/bootstrap-5.1.3-dist/css/bootstrap.min.css,/bootstrap-5.1.3-dist/js/bootstrap.bundle.min.js,/bootstrap-icons-1.8.3/bootstrap-icons.css,/jsencrypt.min.js,/simpleCaptcha.jpg</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CSRFPreventionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
CharaterEncodingFilter.java
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
public class CharaterEncodingFilter implements Filter {
public void init(FilterConfig filterConfig) throws ServletException {
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
request.setCharacterEncoding("utf-8");
response.setCharacterEncoding("utf-8");
chain.doFilter(request, response);
}
public void destroy() {
}
}
之后在JSP和Servlet中使用response.encodeURL()函数包裹所有连接
如POST
<form id="form" method="post" action="<%=response.encodeURL("validate.jsp")%>"
onsubmit="encryptPassword()">
GET
<a class="nav-link" href="<%=response.encodeURL("url-eventlog.jsp")%>">事件日志</a>
<a
href="<%=response.encodeURL("operator-delete.jsp?id=" + rs.getInt("operator_id"))%>"><button
type="button" class="delete">删除</button></a>
自动刷新
<script>
setTimeout(() => {
window.location.href = "<%=response.encodeURL("url-status.jsp")%>";
}, 60000);
</script>