java - 安全性:在struts 1中实现针对CSRF攻击的解决方案

Question

我需要在基于 struts 1 框架的应用程序中实现一个防止 CSRF 攻击的解决方案。 在网络上，人们提出了这些解决方案:

• Struts saveToken(request) 和 isTokenValid(request, true)
• HDIV 和 OWASP CSRFGuard 等库

目前我不知道哪个最适合这个问题。 那么你能给我你对这些解决方案的意见来指导我的选择吗？如果可能的话，请举个例子 或建议其他解决方案。

感谢帮助

Answer 1

如果您只关心 CSRF 而不是其他 OWASP 安全问题，我建议您使用内置支持的 Struts，即 Synchronizer Token Pattern，而不是使用任何外部库。

Struts 生存指南中关于同步器模式的摘录。

To understand how the Synchronizer Token works, some background about built-in functionalities in the Action class is required. The Action class has a method called saveToken() whose logic is as follows:

HttpSession session = request.getSession();
String token = generateToken(request);
if (token != null) {
 session.setAttribute(Globals.TRANSACTION_TOKEN_KEY, token);
}

The method generates a random token using session id, current time and a MessageDigest and stores it in the session using a key name org.apache.struts.action.TOKEN (This is the value of the static variable TRANSACTION_TOKEN_KEY in org.apache.struts.Globals class. The Action class that renders the form invokes the saveToken() method to create a session attribute with the above name. In the JSP, you have to use the token as a hidden form field as follows:

<input type="hidden"
name="<%=org.apache.struts.taglib.html.Constants.TOKEN_KEY%>"
value="<bean:write name="<%=Globals.TRANSACTION_TOKEN_KEY%>"/>">

The embedded <bean:write> tag shown above, looks for a bean named org.apache.struts.action.TOKEN (which is the the value of Globals. TRANSACTION_TOKEN_KEY ) in session scope and renders its value as the value attribute of the hidden input variable. The name of the hidden input variable is org.apache.struts.taglib.html.TOKEN (This is nothing but the value of the static variable TOKEN_KEY in the class org.apache.struts.taglib.html.Constants). When the client submits the form, the hidden field is also submitted. In the Action that handles the form submission (which most likely is different from the Action that rendered the form), the token in the form submission is compared with the token in the session by using the isTokenValid() method. The method compares the two tokens and returns a true if both are same. Be sure to pass reset=”true” in the isTokenValid() method to clear the token from session after comparison. If the two tokens are equal, the form was submitted for the first time. However, if the two tokens do not match or if there is no token in the session, then it is a duplicate submission and handle it in the manner acceptable to your users.