strits2 csrf portect
来源:互联网 发布:淘宝举报售假未通过 编辑:程序博客网 时间:2024/06/05 08:05
http://web.securityinnovation.com/appsec-weekly/blog/bid/84318/Cross-Site-Request-Forgery-CSRF-Prevention-Using-Struts-2
Secure Development Tips
a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor
Cross-Site Request Forgery (CSRF) Prevention Using Struts 2
Applies to
- Java
- Struts 2
Summary
Perform CSRF prevention using Struts 2 within an application.
Objectives
CSRF prevention is a key security control for an application that protects the application and its users from CSRF attacks. This article will describe how to use the built-in mechanisms provided by Struts 2 to perform CSRF prevention.
Code Example
There is a standard model for CSRF prevention using Struts 2 that involves 3 basic steps
1. Update your interceptor stack to include the tokenSessionInterceptor, either including or excluding all methods (all are included here).
<interceptor-stack name="myStack">
<interceptor-ref name="defaultStack" />
<interceptor-ref name="tokenSession">
<param name="includeMethods">*</param>
</interceptor-ref>
</interceptor-stack>
<default-interceptor-ref name="myStack" />
2. Update your action configuration to include or exclude any methods that need or do not need CSRF protection.
<action ...>
...
<interceptor-ref name="tokenSession">
<param name="excludeMethods">searchBooks,getBook</param>
</interceptor-ref>
</action>
3. Use s:token in your JSP form that requests the action.
<s:form action="...">
...
<s:token />
...
</s:form>
Using these 3 simple steps you can effectively have a session specific per user token used to validate that a request was submitted by a user intentionally.
Note: There have been effective attacks against various CSRF prevention techniques including this token-based approach when an application has XSS vulnerabilities. Removing XSS is therefore viewed as a prerequisite activity for a complete CSRF prevention mechanism.
In conclusion, CSRF prevention can function as a strong security control if used properly and applied thoroughly throughout the application. The Struts 2 framework provides a simple series of steps for accomplishing this task.
More Information
- For more information about Token Interceptor, please see http://struts.apache.org/2.0.14/docs/token-interceptor.html
- For more information about Cross-Site Request Forgery Prevention in Struts 2, please see http://struts.apache.org/2.0.14/docs/token-interceptor.html
- strits2 csrf portect
- Strits2拦截器
- strits2 action注解 @Scope("prototype")
- csrf
- CSRF
- csrf
- CSRF
- CSRF
- CSRF
- CSRF
- CSRF
- CSRF
- CSRF
- CSRF
- csrf
- csrf
- CSRF
- csrf
- 软件设计漫谈之一:什么是软件设计?
- dalvikvm类找不到错误解决方案
- 安卓ExpandableListView嵌套Gridview嵌套用法,与多点触控图片缩放
- JAVA--排序
- 有钱就是不一样
- strits2 csrf portect
- java实现二叉树的添加和中序,前序排列;求二叉树的高度
- ActionBar中的下拉菜单操作
- dijkstra算法
- eclipse取回被覆盖的代码
- 运营初期应该选用什么样的机器人
- 免费接口API
- 模板——大数相乘
- 软件设计漫谈之二:设计模式只是一把锤子!
Comments
Currently, there are no comments. Be the first to post one!