简体繁体 English

DWR SecurityException：POST请求中的HttpSessionId为空

[英]DWR SecurityException : HttpSessionId is blank in POST request

原文 2017-03-20 09:14:19 5 1 java/ spring/ post/ tomcat8/ dwr

I am trying to upgrade Tomcat 5.5 + JDK 5 to Tomcat 8.5.x + JDK 1.7 The application that is deployed on this server is a legacy application which uses FTL (2.3.4) + DWR(2.0.3) + Spring (2.5.5) frameworks 我正在尝试将Tomcat 5.5 + JDK 5升级到Tomcat 8.5.x + JDK 1.7，此服务器上部署的应用程序是使用FTL（2.3.4）+ DWR（2.0.3）+ Spring（2.5。 5）框架

When deployed on Tomcat 8.5.6 + JDK 7 I am getting errors on few actions which perform POST request from the application. 当部署在Tomcat 8.5.6 + JDK 7上时，执行从应用程序执行POST请求的一些操作时出现错误。 Most of these actions are DWR calls for filtering/manipulation of data displayed on the screen. 这些操作大多数是DWR调用，用于过滤/处理屏幕上显示的数据。

There is a popup message "Session Error" displayed on screen. 屏幕上显示弹出消息“会话错误”。 On front end profiling I found that the complete error is a SecurityException which results into SessionError. 在前端分析中，我发现完整的错误是一个SecurityException，它导致SessionError。

Session Error - SecurityException 会话错误-SecurityException

When debugged on server side I found out that the request was being treated as a CSRF attack and hence this exception was thrown. 在服务器端进行调试时，我发现该请求被视为CSRF攻击，因此引发了此异常。 DWR checks for the HTTP session ID in the body of the POST request to validate the request against CSRF possibility. DWR在POST请求的主体中检查HTTP会话ID，以针对CSRF可能性验证请求。 So in front end debugging I found that the request is not sending the httpSessionId in the POST body. 因此，在前端调试中，我发现请求未在POST正文中发送httpSessionId。

Request header and body are as shown here. 请求标头和正文如下所示。

I have tried disabling the crossDomainSessionSecurity parameter in DWR servlet initialization. 我尝试在DWR Servlet初始化中禁用crossDomainSessionSecurity参数。 It works fine after that, but I cannot go ahead with the security risk it poses in the production environment. 此后它可以正常工作，但是我无法继续考虑它在生产环境中带来的安全风险。

Due to this issue I am not able to go ahead with the Tomcat migration. 由于这个问题，我无法继续进行Tomcat迁移。 Please suggest how can I resolve this issue? 请提出如何解决此问题的建议？

1 个解决方案

I was checking for some new features in Tomcat 8. I read that from Tomcat 6 onwards Tomcat allows only HTTP requests by default. 我正在检查Tomcat 8中的一些新功能。我读到从Tomcat 6开始，Tomcat默认情况下仅允许HTTP请求。 Which means that the useHttpOnly flag is true by default. 这意味着useHttpOnly标志默认为true。 This causes the javascript requests to fail. 这会导致javascript请求失败。 In the deployment I tried by setting the useHttpOnly=”false” and the application works fine after that. 在部署中，我通过设置useHttpOnly =“ false”进行了尝试，之后该应用程序运行正常。 I will do more tests on my side, so for now we can consider this issue to be resolved. 我将继续进行更多测试，因此现在我们可以考虑解决此问题。