[英]CSRFGuard Javascript Injection doesn't work
What am I doing wrong? 我究竟做错了什么? I can't get the javascript injection to work.
我无法使JavaScript注入正常工作。 Here is what I put in my web.xml:
这是我放入web.xml中的内容:
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
</listener>
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
</listener>
<context-param>
<param-name>Owasp.CsrfGuard.Config</param-name>
<param-value>WEB-INF/csrfguard.properties</param-value>
</context-param>
<context-param>
<param-name>Owasp.CsrfGuard.Config.Print</param-name>
<param-value>true</param-value>
</context-param>
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>JavaScriptServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>JavaScriptServlet</servlet-name>
<url-pattern>/JavaScriptServlet</url-pattern>
</servlet-mapping>
In my jsp files, I add this line: 在我的jsp文件中,添加以下行:
<script src="/JavaScriptServlet"></script>
But when I submit, the token doesn't get added to the request. 但是当我提交时,令牌不会添加到请求中。 I stepped through the code, and this line in CsrfGuard.verifySessionToken(request) returns null:
我单步执行代码,然后CsrfGuard.verifySessionToken(request)中的这一行返回null:
String tokenFromRequest = request.getParameter(getTokenName());
The only thing I can do so far is to add the token by using the CSRF custom tag and adding a hidden field to the form ala: 到目前为止,我唯一能做的就是通过使用CSRF自定义标记并向表单ala添加一个隐藏字段来添加令牌:
<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
It looks like I had to figure out what my servlet context root was first. 看来我必须弄清楚我的servlet上下文根是什么。 Then I fixed it by changing
然后我通过改变来固定
<script src="/JavaScriptServlet"></script>
to 至
<script src="/[servletcontextroot]/JavaScriptServlet"></script>
就我而言,在设置基本路径后添加脚本标签时,它工作正常。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.