這篇文章給大家介紹利用spring security防御csrf攻擊的原理是什么��,內(nèi)容非常詳細(xì)�����,感興趣的小伙伴們可以參考借鑒���,希望對(duì)大家能有所幫助����。
讓客戶滿意是我們工作的目標(biāo)��,不斷超越客戶的期望值來自于我們對(duì)這個(gè)行業(yè)的熱愛����。我們立志把好的技術(shù)通過有效、簡(jiǎn)單的方式提供給客戶�,將通過不懈努力成為客戶在信息化領(lǐng)域值得信任、有價(jià)值的長(zhǎng)期合作伙伴��,公司提供的服務(wù)項(xiàng)目有:國際域名空間��、網(wǎng)站空間����、營銷軟件、網(wǎng)站建設(shè)�、烏審網(wǎng)站維護(hù)、網(wǎng)站推廣����。
什么是csrf?
csrf又稱跨域請(qǐng)求偽造�����,攻擊方通過偽造用戶請(qǐng)求訪問受信任站點(diǎn)����。CSRF這種攻擊方式在2000年已經(jīng)被國外的安全人員提出,但在國內(nèi)���,直到06年才開始被關(guān)注����,08年���,國內(nèi)外的多個(gè)大型社區(qū)和交互網(wǎng)站分別爆出CSRF漏洞����,如:NYTimes.com(紐約時(shí)報(bào))�、Metafilter(一個(gè)大型的BLOG網(wǎng)站),YouTube和百度HI......而現(xiàn)在��,互聯(lián)網(wǎng)上的許多站點(diǎn)仍對(duì)此毫無防備,以至于安全業(yè)界稱CSRF為“沉睡的巨人”�����。
舉個(gè)例子���,用戶通過表單發(fā)送請(qǐng)求到銀行網(wǎng)站���,銀行網(wǎng)站獲取請(qǐng)求參數(shù)后對(duì)用戶賬戶做出更改。在用戶沒有退出銀行網(wǎng)站情況下�����,訪問了攻擊網(wǎng)站�,攻擊網(wǎng)站中有一段跨域訪問的代碼,可能自動(dòng)觸發(fā)也可能點(diǎn)擊提交按鈕����,訪問的url正是銀行網(wǎng)站接受表單的url。因?yàn)槎紒碜杂谟脩舻臑g覽器端�����,銀行將請(qǐng)求看作是用戶發(fā)起的�,所以對(duì)請(qǐng)求進(jìn)行了處理���,造成的結(jié)果就是用戶的銀行賬戶被攻擊網(wǎng)站修改。
解決方法基本上都是增加攻擊網(wǎng)站無法獲取到的一些表單信息���,比如增加圖片驗(yàn)證碼,可以杜絕csrf攻擊���,但是除了登陸注冊(cè)之外����,其他的地方都不適合放驗(yàn)證碼�,因?yàn)榻档土司W(wǎng)站易用性
相關(guān)介紹:
http://baike.baidu.com/view/1609487.htm?fr=aladdin
spring-servlet中配置csrf
在類中聲明Csrf攔截器,用來生成或去除CsrfToken
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import com.wangzhixuan.commons.scan.ExceptionResolver;
import com.wangzhixuan.commons.utils.WebUtils;
/**
* Csrf攔截器��,用來生成或去除CsrfToken
*
* @author L.cm
*/
public class CsrfInterceptor extends HandlerInterceptorAdapter {
private static final Logger logger = LogManager.getLogger(ExceptionResolver.class);
@Autowired
private CsrfTokenRepository csrfTokenRepository;
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
HandlerMethod handlerMethod = (HandlerMethod) handler;
// 非控制器請(qǐng)求直接跳出
if (!(handler instanceof HandlerMethod)) {
return true;
}
CsrfToken csrfToken = handlerMethod.getMethodAnnotation(CsrfToken.class);
// 判斷是否含有@CsrfToken注解
if (null == csrfToken) {
return true;
}
// create�、remove同時(shí)為true時(shí)異常
if (csrfToken.create() && csrfToken.remove()) {
logger.error("CsrfToken attr create and remove can Not at the same time to true!");
return renderError(request, response, Boolean.FALSE, "CsrfToken attr create and remove can Not at the same time to true!");
}
// 創(chuàng)建
if (csrfToken.create()) {
CsrfTokenBean token = csrfTokenRepository.generateToken(request);
csrfTokenRepository.saveToken(token, request, response);
// 緩存一個(gè)表單頁面地址的url
csrfTokenRepository.cacheUrl(request, response);
request.setAttribute(token.getParameterName(), token);
return true;
}
// 判斷是否ajax請(qǐng)求
boolean isAjax = WebUtils.isAjax(handlerMethod);
// 校驗(yàn),并且清除
CsrfTokenBean tokenBean = csrfTokenRepository.loadToken(request);
if (tokenBean == null) {
return renderError(request, response, isAjax, "CsrfToken is null!");
}
String actualToken = request.getHeader(tokenBean.getHeaderName());
if (actualToken == null) {
actualToken = request.getParameter(tokenBean.getParameterName());
}
if (!tokenBean.getToken().equals(actualToken)) {
return renderError(request, response, isAjax, "CsrfToken not eq!");
}
return true;
}
private boolean renderError(HttpServletRequest request, HttpServletResponse response,
boolean isAjax, String message) throws IOException {
// 獲取緩存的cacheUrl
String cachedUrl = csrfTokenRepository.getRemoveCacheUrl(request, response);
// ajax請(qǐng)求直接拋出異常�,因?yàn)閧@link ExceptionResolver}會(huì)去處理
if (isAjax) {
throw new RuntimeException(message);
}
// 非ajax CsrfToken校驗(yàn)異常,先清理token
csrfTokenRepository.saveToken(null, request, response);
logger.info("Csrf[redirectUrl]:\t" + cachedUrl);
response.sendRedirect(cachedUrl);
return false;
}
/**
* 用于清理@CsrfToken保證只能請(qǐng)求成功一次
*/
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler,
ModelAndView modelAndView) throws Exception {
HandlerMethod handlerMethod = (HandlerMethod) handler;
// 非控制器請(qǐng)求直接跳出
if (!(handler instanceof HandlerMethod)) {
return;
}
CsrfToken csrfToken = handlerMethod.getMethodAnnotation(CsrfToken.class);
if (csrfToken == null || !csrfToken.remove()) {
return;
}
csrfTokenRepository.getRemoveCacheUrl(request, response);
csrfTokenRepository.saveToken(null, request, response);
}
}聲明Csrf過濾注解���,通過標(biāo)注來過濾對(duì)應(yīng)的請(qǐng)求
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
/**
* Csrf過濾注解
* @author L.cm
*/
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
public @interface CsrfToken {
boolean create() default false;
boolean remove() default false;
}建立實(shí)例對(duì)象(操作對(duì)象)
import java.io.Serializable;
import org.springframework.util.Assert;
public class CsrfTokenBean implements Serializable {
private static final long serialVersionUID = -6865031901744243607L;
private final String token;
private final String parameterName;
private final String headerName;
/**
* Creates a new instance
* @param headerName the HTTP header name to use
* @param parameterName the HTTP parameter name to use
* @param token the value of the token (i.e. expected value of the HTTP parameter of
* parametername).
*/
public CsrfTokenBean(String headerName, String parameterName, String token) {
Assert.hasLength(headerName, "headerName cannot be null or empty");
Assert.hasLength(parameterName, "parameterName cannot be null or empty");
Assert.hasLength(token, "token cannot be null or empty");
this.headerName = headerName;
this.parameterName = parameterName;
this.token = token;
}
public String getHeaderName() {
return this.headerName;
}
public String getParameterName() {
return this.parameterName;
}
public String getToken() {
return this.token;
}
}過濾過程中需要的倉庫
package com.wangzhixuan.commons.csrf;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public interface CsrfTokenRepository {
/**
* Generates a {@link CsrfTokenBean}
*
* @param request the {@link HttpServletRequest} to use
* @return the {@link CsrfTokenBean} that was generated. Cannot be null.
*/
CsrfTokenBean generateToken(HttpServletRequest request);
/**
* Saves the {@link CsrfTokenBean} using the {@link HttpServletRequest} and
* {@link HttpServletResponse}. If the {@link CsrfTokenBean} is null, it is the same as
* deleting it.
*
* @param token the {@link CsrfTokenBean} to save or null to delete
* @param request the {@link HttpServletRequest} to use
* @param response the {@link HttpServletResponse} to use
*/
void saveToken(CsrfTokenBean token, HttpServletRequest request,
HttpServletResponse response);
/**
* Loads the expected {@link CsrfTokenBean} from the {@link HttpServletRequest}
*
* @param request the {@link HttpServletRequest} to use
* @return the {@link CsrfTokenBean} or null if none exists
*/
CsrfTokenBean loadToken(HttpServletRequest request);
/**
* 緩存來源的url
* @param request request the {@link HttpServletRequest} to use
* @param response the {@link HttpServletResponse} to use
*/
void cacheUrl(HttpServletRequest request, HttpServletResponse response);
/**
* 獲取并清理來源的url
* @param request the {@link HttpServletRequest} to use
* @param response the {@link HttpServletResponse} to use
* @return 來源url
*/
String getRemoveCacheUrl(HttpServletRequest request, HttpServletResponse response);
}HttpSessionCsrfTokenRepository
package com.wangzhixuan.commons.csrf;
import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import com.wangzhixuan.commons.utils.StringUtils;
public final class HttpSessionCsrfTokenRepository implements CsrfTokenRepository {
private static final String DEFAULT_CSRF_PARAMETER_NAME = "_csrf";
private static final String DEFAULT_CSRF_HEADER_NAME = "X-CSRF-TOKEN";
private static final String DEFAULT_CSRF_TOKEN_ATTR_NAME = HttpSessionCsrfTokenRepository.class
.getName().concat(".CSRF_TOKEN");
private static final String DEFAULT_CACHE_URL_ATTR_NAME = HttpSessionCsrfTokenRepository.class
.getName().concat(".CACHE_URL");
private String parameterName = DEFAULT_CSRF_PARAMETER_NAME;
private String headerName = DEFAULT_CSRF_HEADER_NAME;
private String sessionAttributeName = DEFAULT_CSRF_TOKEN_ATTR_NAME;
private String cacheUrlAttributeName = DEFAULT_CACHE_URL_ATTR_NAME;
/*
* (non-Javadoc)
*
* @see org.springframework.security.web.csrf.CsrfTokenRepository#saveToken(org.
* springframework .security.web.csrf.CsrfToken,
* javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
*/
public void saveToken(CsrfTokenBean token, HttpServletRequest request,
HttpServletResponse response) {
if (token == null) {
HttpSession session = request.getSession(false);
if (session != null) {
session.removeAttribute(this.sessionAttributeName);
}
}
else {
HttpSession session = request.getSession();
session.setAttribute(this.sessionAttributeName, token);
}
}
/*
* (non-Javadoc)
*
* @see
* org.springframework.security.web.csrf.CsrfTokenRepository#loadToken(javax.servlet
* .http.HttpServletRequest)
*/
public CsrfTokenBean loadToken(HttpServletRequest request) {
HttpSession session = request.getSession(false);
if (session == null) {
return null;
}
return (CsrfTokenBean) session.getAttribute(this.sessionAttributeName);
}
/*
* (non-Javadoc)
*
* @see org.springframework.security.web.csrf.CsrfTokenRepository#generateToken(javax.
* servlet .http.HttpServletRequest)
*/
public CsrfTokenBean generateToken(HttpServletRequest request) {
return new CsrfTokenBean(this.headerName, this.parameterName,
createNewToken());
}
private String createNewToken() {
return UUID.randomUUID().toString();
}
@Override
public void cacheUrl(HttpServletRequest request, HttpServletResponse response) {
String queryString = request.getQueryString();
// 被攔截前的請(qǐng)求URL
String redirectUrl = request.getRequestURI();
if (StringUtils.isNotBlank(queryString)) {
redirectUrl = redirectUrl.concat("?").concat(queryString);
}
HttpSession session = request.getSession();
session.setAttribute(this.cacheUrlAttributeName, redirectUrl);
}
@Override
public String getRemoveCacheUrl(HttpServletRequest request, HttpServletResponse response) {
HttpSession session = request.getSession(false);
if (session == null) {
return null;
}
String redirectUrl = (String) session.getAttribute(this.cacheUrlAttributeName);
if (StringUtils.isBlank(redirectUrl)) {
return null;
}
session.removeAttribute(this.cacheUrlAttributeName);
return redirectUrl;
}
}關(guān)于利用spring security防御csrf攻擊的原理是什么就分享到這里了����,希望以上內(nèi)容可以對(duì)大家有一定的幫助,可以學(xué)到更多知識(shí)�。如果覺得文章不錯(cuò),可以把它分享出去讓更多的人看到���。
標(biāo)題名稱:利用springsecurity防御csrf攻擊的原理是什么
文章轉(zhuǎn)載:
http://weahome.cn/article/pcjjhc.html
重慶分公司
重慶分公司
