java – 春季MVC中的CSRF(跨站点请求伪造)保护

<form:input type="text" class="form-control" path="mName" />

    <input type="hidden" name="${_csrf.parameterName}"
        value="${_csrf.token}" />

    <div class="form-action">
        <input type="submit" value="Save" class="btn btn-primary" />
    </div>
</form:form>

@RequestMapping(method = RequestMethod.POST)
  public String processForm(@modelattribute(value = "userForm") @Valid UserForm userForm,BindingResult result,ModelMap model) {      

   //call the web service
  }

OWASP Enterprise Security API有一个非常好的选择,提供针对CSRF的可靠保护. CSRF实际上很容易解决. Owasp ESAPI提供了实施CSRF保护的规范,如下所示.

1. Generate new CSRF token and add it to user once on login and store user in http session.

这是在默认的ESAPI实现中完成的,它存储为存储在会话中的User对象的成员变量.

/this code is in the DefaultUser implementation of ESAPI
/** This user's CSRF token. */
private String csrftoken = resetCSrftoken();
...
public String resetCSrftoken() {
    csrftoken = ESAPI.randomizer().getRandomString(8,DefaultEncoder.CHAR_ALPHANUMERICS);
    return csrftoken;
}

2. On any forms or urls that should be protected,add the token as a parameter / hidden field.

对于任何需要CSRF保护的URL,应调用下面的addCSrftoken方法.或者,如果您要创建表单,或者使用另一种呈现URL的技术(例如c：url),请确保添加名称为“ctoken”的参数或隐藏字段以及DefaultHTTPUtilities.getCSrftoken()的值.

//from HTTPUtilitiles interface
final static String CSRF_TOKEN_NAME = "ctoken";
//this code is from the DefaultHTTPUtilities implementation in ESAPI
public String addCSrftoken(String href) {
    User user = ESAPI.authenticator().getCurrentUser();
    if (user.isAnonymous()) {
        return href;
    }
    // if there are already parameters append with &,otherwise append with ?
    String token = CSRF_TOKEN_NAME + "=" + user.getCSrftoken();
    return href.indexOf( '?') != -1 ? href + "&" + token : href + "?" + token;
}
...
public String getCSrftoken() {
    User user = ESAPI.authenticator().getCurrentUser();
    if (user == null) return null;
    return user.getCSrftoken();
}

3. On the server side for those protected actions,check that the submitted token matches the token from the user object in the session.

确保从servlet或spring操作或jsf控制器或用于处理请求的任何服务器端机制调用此方法.这应该在您需要验证CSRF保护的任何请求上调用.请注意,当令牌不匹配时,它被视为可能的伪造请求.

//this code is from the DefaultHTTPUtilities implementation in ESAPI
public void verifyCSrftoken(HttpServletRequest request) throws IntrusionException {
    User user = ESAPI.authenticator().getCurrentUser();
    // check if user authenticated with this request - no CSRF protection required
    if( request.getAttribute(user.getCSrftoken()) != null ) {
        return;
    }
    String token = request.getParameter(CSRF_TOKEN_NAME);
    if ( !user.getCSrftoken().equals( token ) ) {
        throw new IntrusionException("Authentication Failed","Possibly forged HTTP request without proper CSRF token detected");
    }
}

4. On logout and session timeout,the user object is removed from the session and the session destroyed.

在此步骤中,将调用注销.发生这种情况时,请注意会话无效并且当前用户对象被重置为匿名用户,从而删除对当前用户的引用以及相应的csrf令牌.

//this code is in the DefaultUser implementation of ESAPI
public void logout() {
    ESAPI.httpUtilities().killCookie( ESAPI.currentRequest(),ESAPI.currentResponse(),HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME );
    HttpSession session = ESAPI.currentRequest().getSession(false);
    if (session != null) {
        removeSession(session);
        session.invalidate();
    }
    ESAPI.httpUtilities().killCookie(ESAPI.currentRequest(),"JSESSIONID");
    loggedIn = false;
    logger.info(Logger.Security_SUCCESS,"logout successful" );
    ESAPI.authenticator().setCurrentUser(User.ANONYMOUS);
}

资料来源：http://www.jtmelton.com/2010/05/16/the-owasp-top-ten-and-esapi-part-6-cross-site-request-forgery-csrf/

希望这可以帮助你.

Shishir