tomcat7:dwr下A request has been denied as a potential CSRF attack.

最近换到了tomcat7，运行代码的时候发现问题了，

控制台所有的dwr请求都变成了：“A request has been denied as a potential CSRF attack”

所有的都不能访问，提示跨域访问问题，然后换回tomcat6，发现每一点问题，

网上查了半天，发现时dwr的问题

解决办法如下：

修改web.xml的dwr配置，：

[xhtml]  view plain copy

1. <listener>   
2.         <listener-class>  
3.             org.directwebremoting.servlet.EfficientShutdownServletContextListener  
4.         </listener-class>  
5.     </listener>   
6.     <display-name>DWR (Direct Web Remoting)</display-name>  
7.     <description>A Simple Demo DWR</description>  
8.     <servlet>  
9.         <servlet-name>dwr-invoker</servlet-name>  
10.         <servlet-class>  
11.             org.directwebremoting.servlet.DwrServlet  
12.         </servlet-class>  
13.         <!-- This should NEVER be present in live -->  
14.         <init-param>  
15.             <param-name>debug</param-name>  
16.             <param-value>true</param-value>  
17.         </init-param>  
18.         <!-- Remove this unless you want to use active reverse ajax -->  
19.         <init-param>  
20.             <param-name>activeReverseAjaxEnabled</param-name>  
21.             <param-value>true</param-value>  
22.         </init-param>  
23.         <!-- By default DWR creates application scope objects when they are first  
24.             used. This creates them when the app-server is started -->  
25.         <init-param>  
26.             <param-name>  
27.                 initApplicationScopeCreatorsAtStartup  
28.             </param-name>  
29.             <param-value>true</param-value>  
30.         </init-param>  
31.         <!-- This enables full streaming mode. It's probably better to leave this  
32.             out if you are running across the internet -->  
33.         <init-param>  
34.             <param-name>maxWaitAfterWrite</param-name>  
35.             <param-value>-1</param-value>  
36.         </init-param>  
37.         <!--  
38.             For more information on these parameters, see:  
39.             - http://getahead.org/dwr/server/servlet  
40.             - http://getahead.org/dwr/reverse-ajax/configuration  
41.         -->  
42.      <!-- 新加corssDomainSessionSecurity参数 -->    
43.         <init-param>       
44.             <param-name>crossDomainSessionSecurity</param-name>       
45.             <param-value>false</param-value>       
46.         </init-param>    
47.         <load-on-startup>1</load-on-startup>  
48.     </servlet>  
49.     <servlet-mapping>  
50.         <servlet-name>dwr-invoker</servlet-name>  
51.         <url-pattern>/dwr/*</url-pattern>  
52.     </servlet-mapping>  
53.     <session-config>  
54.         <session-timeout>3000</session-timeout>  
55.     </session-config>  
56.     <welcome-file-list>  
57.         <welcome-file>brandlogin.html</welcome-file>  
58.     </welcome-file-list>  

 

其中最主要的地方是：

[xhtml]  view plain copy

1. <init-param>       
2.            <param-name>crossDomainSessionSecurity</param-name>       
3.            <param-value>false</param-value>       
4.     </init-param>    

改完之后，重新运行了下，发现一切ok，但是网上还有一个提示，dwr的引用必须进行修改

改成如下的方式：

[xhtml]  view plain copy

1. <mce:script type='text/javascript' src="dwr/engine.js" mce_src="dwr/engine.js"></mce:script>  
2. <mce:script type='text/javascript' src="dwr/util.js" mce_src="dwr/util.js"></mce:script>  

 

来源： CSDN