reference from:http://ricardozuasti.com/2012/preventing-csrf-in-java-web-apps/

Cross-site request forgery attacks (CSRF) are very common in web applications and can cause significant harm if allowed. If you have never heard of CSRF I recommend you check out OWASPs page about it.

Luckily preventing CSRF attacks is quite simple, I’ll try to show you how they work and how we can defend from them in the least obtrusive way possible in Java based web apps.

Imagine you are about to perform a money transfer in your bank’s secure web page, when you click on the transfer option a form page is loaded that allows you to choose the debit and credit accounts, and enter the amount of money to move. When you are satisfied with your options you press “submit” and send the form information to your bank’s web server, which in turns performs the transaction.

Now add the following to the picture, a malicious website (which you think harmless of course) is open on another window/tab of your browser while you are innocently moving all your millions in your bank’s site. This evil site knows the bank’s web forms structure, and as you browse through it, it tries to post transactions withdrawing money from your accounts and depositing it on the evil overlord’s accounts, it can do it because you have an open and valid session with the banks site in the same browser! This is the basis for a CSRF attack.

One simple and effective way to prevent it is to generate a random (i.e. unpredictable) string when the initial transfer form is loaded and send it to the browser. The browser then sends this piece of data along with the transfer options, and the server validates it before approving the transaction for processing. This way, malicious websites cannot post transactions even if they have access to a valid session in a browser.

To implement this mechanism in Java I choose to use two filters, one to create the salt for each request, and another to validate it. Since the users request and subsequent POST or GETs that should be validated do not necessarily get executed in order, I decided to use a time based cache to store a list of valid salt strings.

The first filter, used to generate a new salt for a request and store it in the cache can be coded as follows:

package com.ricardozuasti.csrf;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import java.io.IOException;
import java.security.SecureRandom;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang.RandomStringUtils; public class LoadSalt implements Filter { @Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException { // Assume its HTTP
HttpServletRequest httpReq = (HttpServletRequest) request; // Check the user session for the salt cache, if none is present we create one
Cache<String, Boolean> csrfPreventionSaltCache = (Cache<String, Boolean>)
httpReq.getSession().getAttribute("csrfPreventionSaltCache"); if (csrfPreventionSaltCache == null){
csrfPreventionSaltCache = CacheBuilder.newBuilder()
.maximumSize(5000)
.expireAfterWrite(20, TimeUnit.MINUTES)
.build(); httpReq.getSession().setAttribute("csrfPreventionSaltCache", csrfPreventionSaltCache);
} // Generate the salt and store it in the users cache
String salt = RandomStringUtils.random(20, 0, 0, true, true, null, new SecureRandom());
csrfPreventionSaltCache.put(salt, Boolean.TRUE); // Add the salt to the current request so it can be used
// by the page rendered in this request
httpReq.setAttribute("csrfPreventionSalt", salt); chain.doFilter(request, response);
} @Override
public void init(FilterConfig filterConfig) throws ServletException {
} @Override
public void destroy() {
}
}

I used Guava CacheBuilder to create the salt cache since it has both a size limit and an expiration timeout per entry. To generate the actual salt I used Apache Commons RandomStringUtils, powered by Java 6 SecureRandom to ensure a strong generation seed.

This filter should be used in all requests ending in a page that will link, post or call via AJAX a secured transaction, so in most cases it’s a good idea to map it to every request (maybe with the exception of static content such as images, CSS, etc.). It’s mapping in your web.xml should look similar to:

    ...
<filter>
<filter-name>loadSalt</filter-name>
<filter-class>com.ricardozuasti.csrf.LoadSalt</filter-class>
</filter>
...
<filter-mapping>
<filter-name>loadSalt</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
...

As I said, to validate the salt before executing secure transactions we can write another filter:

package com.ricardozuasti.csrf;

import com.google.common.cache.Cache;
import java.io.IOException;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest; public class ValidateSalt implements Filter { @Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException { // Assume its HTTP
HttpServletRequest httpReq = (HttpServletRequest) request; // Get the salt sent with the request
String salt = (String) httpReq.getParameter("csrfPreventionSalt"); // Validate that the salt is in the cache
Cache<String, Boolean> csrfPreventionSaltCache = (Cache<String, Boolean>)
httpReq.getSession().getAttribute("csrfPreventionSaltCache"); if (csrfPreventionSaltCache != null &&
salt != null &&
csrfPreventionSaltCache.getIfPresent(salt) != null){ // If the salt is in the cache, we move on
chain.doFilter(request, response);
} else {
// Otherwise we throw an exception aborting the request flow
throw new ServletException("Potential CSRF detected!! Inform a scary sysadmin ASAP.");
}
} @Override
public void init(FilterConfig filterConfig) throws ServletException {
} @Override
public void destroy() {
}
}

You should configure this filter for every request that needs to be secure (i.e. retrieves or modifies sensitive information, move money, etc.), for example:

    ...
<filter>
<filter-name>validateSalt</filter-name>
<filter-class>com.ricardozuasti.csrf.ValidateSalt</filter-class>
</filter>
...
<filter-mapping>
<filter-name>validateSalt</filter-name>
<url-pattern>/transferMoneyServlet</url-pattern>
</filter-mapping>
...

After configuring both servlets all your secured requests should fail :). To fix it you have to add, to each link and form post that ends in a secure URL, the csrfPreventionSalt parameter containing the value of the request parameter with the same name. For example, in an HTML form within a JSP page:

...
<form action="/transferMoneyServlet" method="get">
<input type="hidden" name="csrfPreventionSalt" value="<c:out value='${csrfPreventionSalt}'/>"/>
...
</form>
...

Of course you can write a custom tag, a nice Javascript code or whatever you prefer to inject the new parameter in every needed link/form.

Preventing CSRF in Java web apps---reference的更多相关文章

  1. office web apps 整合Java web项目

    之前两篇文章将服务器安装好了,项目主要的就是这么讲其整合到我们的项目中,网上大部分都是asp.net的,很少有介绍Java如何整合的,经过百度,终于将其整合到了我的项目中. 首先建个servlet拦截 ...

  2. Isomorphic JavaScript: The Future of Web Apps

    Isomorphic JavaScript: The Future of Web Apps At Airbnb, we’ve learned a lot over the past few years ...

  3. Bypass Preventing CSRF

    CSRF在过去的n年(n>2)一直都火,在bh/defcon/owasp等会议上多次探讨CSRF的攻防[具体你可以看看以往的那些pp].前 段时间PLAYHACK.net上发表了一个总结性的pp ...

  4. Java Web系列:Spring Security 基础

    Spring Security虽然比JAAS进步很大,但还是先天不足,达不到ASP.NET中的认证和授权的方便快捷.这里演示登录.注销.记住我的常规功能,认证上自定义提供程序避免对数据库的依赖,授权上 ...

  5. Why mobile web apps are slow

    http://sealedabstract.com/rants/why-mobile-web-apps-are-slow/ I’ve had an unusual number of interest ...

  6. Java Web 学习路线

    实际上,如果时间安排合理的话,大概需要六个月左右,有些基础好,自学能力强的朋友,甚至在四个月左右就开始找工作了.大三的时候,我萌生了放弃本专业的念头,断断续续学 Java Web 累计一年半左右,总算 ...

  7. 使用Spring Boot来加速Java web项目的开发

    我想,现在企业级的Java web项目应该或多或少都会使用到Spring框架的. 回首我们以前使用Spring框架的时候,我们需要首先在(如果你使用Maven的话)pom文件中增加对相关的的依赖(使用 ...

  8. 免费电子书:Azure Web Apps开发者入门

    (此文章同时发表在本人微信公众号"dotNET每日精华文章",欢迎右边二维码来关注.) 题记:之前介绍过微软正在逐步出版一个名为Azure Essential的入门系列教程,最近刚 ...

  9. Java Web services: WS-Security with Metro--referenc

    As you know from "Introducing Metro," the reference implementations of the JAXB 2.x data-b ...

随机推荐

  1. NServiceBus-容器

    NServiceBus自动注册以及用户实现其所有组件处理程序和传奇,这样所有实例化模式和连接在默认情况下都是正确的,没有错误. NServiceBus在容器构建(目前Autofac的ilmerge版本 ...

  2. Hadoop概念学习系列之hadoop生态系统闲谈(二十五)

    分层次讲解 最底层平台 ------->hdfs  yarn  mapreduce spark 应用层-------->hbase  hive   pig   sparkSQL    nu ...

  3. fedora 16安装ByPass四网口网卡遇到的问题

    这个问题困扰了好几天,今天终于在大谷歌的帮助下,在这个网站http://blog.bwysystems.com/bwysystems/?p=16上找到了答案!还是国外的技术论坛强,在百度上搜遍了也没有 ...

  4. Android问题-XE5提示"[DCC Fatal Error] Project1.dpr(1): F1027 Unit not found: 'System.pas' or binary equivalents (.dcu/.o)"

    问题现象:Checking project dependencies...Compiling Project1.dproj (Debug, Android)dcc command line for & ...

  5. gcc -D

    [gcc -D] -D name Predefine name as a macro, with definition 1. 通常debug和release版的区别就在于是否有DEBUG宏,DEBUG ...

  6. nyoj117 求逆序数

    求逆序数 时间限制:2000 ms  |  内存限制:65535 KB 难度:5   描述 在一个排列中,如果一对数的前后位置与大小顺序相反,即前面的数大于后面的数,那么它们就称为一个逆序.一个排列中 ...

  7. 未能加载文件或程序集“Oracle.DataAccess, Version=2.112.1.0, Culture=neutral, PublicKeyToken=89b483f429c47342”或它的某一个依赖项。 解决方法

    webconfig文件对于oracle的映射错误.需要在以下位置修改 <runtime> <legacyCorruptedStateExceptionsPolicy enabled= ...

  8. CodeForces 709A Juicer (水题, 模拟)

    题意:给定 n 个桔子的大小,一个杯子的容积,一个最大限度,挨着挤桔子汁,如果大小大于限度,扔掉,如果不杯子满了倒掉,问你要倒掉多少杯. 析:直接按要求模拟就好,满了就清空杯子. 代码如下: #pra ...

  9. [Oracle]配置path使oracle备份/导入数据命令exp/imp起作用

    将E:\Oracle11g\app\Administrator\product\11.2.0\dbhome_1\bin;路径添加如path

  10. 用html5的canvas生成图片并保存到本地

    原文:http://www.2cto.com/kf/201209/156169.html 前端的代码: [javascript]  function drawArrow(angle)  {      ...