J2EE CSRF漏洞防护详解<\/h1>

1. CSRF漏洞概述<\/h2>
CSRF(Cross-Site Request Forgery)跨站请求伪造是一种常见的Web安全漏洞，攻击者诱导受害者进入第三方网站，在受害者已登录目标网站的情况下，利用受害者的身份凭证执行非预期的操作。<\/p>

2. Struts框架CSRF防护<\/h2>

2.1 使用
<s:token\/><\/code>标签<\/h3>
在Struts框架中，可以通过<s:token\/><\/code>标签生成并验证CSRF令牌：<\/p>
<s:form action="reg" theme="simple">
    username:<s:textfield name="username"><\/s:textfield><br \/>
    password:<s:password name="password"><\/s:password><br \/>
    <s:token><\/s:token>
    <s:submit value="注册"><\/s:submit>
<\/s:form>
<\/code><\/pre>
2.2 配置token拦截器<\/h3>
在struts.xml<\/code>中配置token拦截器：<\/p>
<package<\/span> name=<\/span>"test"<\/span> namespace=<\/span>"\/test"<\/span> extends=<\/span>"struts-default"<\/span>><\/span>
<\/span><\/span>    <interceptors><\/span>
<\/span><\/span>        <!-- 配置拦截器 --><\/span>
<\/span><\/span>        <interceptor-stack<\/span> name=<\/span>"tokenStack"<\/span>><\/span>
<\/span><\/span>            <!-- 命名拦截器栈,名字随便 --><\/span>
<\/span><\/span>            <interceptor-ref<\/span> name=<\/span>"token"<\/span>\/><\/span>
<\/span><\/span>            <!-- 此拦截器为token拦截器,struts已经实现 --><\/span>
<\/span><\/span>            <interceptor-ref<\/span> name=<\/span>"defaultStack"<\/span> \/><\/span>
<\/span><\/span>            <!-- 默认拦截器,注意顺序,默认拦截器放在最下面 --><\/span>
<\/span><\/span>        <\/interceptor-stack><\/span>
<\/span><\/span>    <\/interceptors><\/span>
<\/span><\/span>    <default-interceptor-ref<\/span> name=<\/span>"tokenStack"<\/span> \/><\/span>
<\/span><\/span>    <!-- 让该包中所有action都是用我们配置的拦截器栈,名字和上面的对应 --><\/span>
<\/span><\/span><\/package><\/span>
<\/span><\/span><\/code><\/pre>2.3 流程说明<\/h3>

客户端申请token<\/li>
服务器端生成token，并存放在session中，同时将token发送到客户端<\/li>
客户端存储token，在请求提交时，同时发送token信息<\/li>
服务器端统一拦截同一个用户的所有请求，验证当前请求是否需要被验证<\/li>
验证session中token是否和用户请求中的token一致，如果一致则放行<\/li>
session清除会话中的token，为下一次的token生成作准备<\/li>
并发重复请求到来，验证token和请求token不一致，请求被拒绝<\/li>
<\/ol>
3. SpringMVC框架CSRF防护<\/h2>
3.1 基本思路<\/h3>

跳转页面前生成随机token，并存放在session中<\/li>
form中将token放在隐藏域中，保存时将token放头部一起提交<\/li>
获取头部token，与session中的token比较，一致则通过<\/li>
生成新的token，并传给前端<\/li>
<\/ol>
3.2 配置拦截器<\/h3>
<mvc:interceptors><\/span>
<\/span><\/span>    <!-- csrf攻击防御 --><\/span>
<\/span><\/span>    <mvc:interceptor><\/span>
<\/span><\/span>        <!-- 需拦截的地址 --><\/span>
<\/span><\/span>        <mvc:mapping<\/span> path=<\/span>"\/**"<\/span>\/><\/span>
<\/span><\/span>        <!-- 需排除拦截的地址 --><\/span>
<\/span><\/span>        <mvc:exclude-mapping<\/span> path=<\/span>"\/resources\/**"<\/span>\/><\/span>
<\/span><\/span>        <bean<\/span> class=<\/span>"com.cnpc.framework.interceptor.CSRFInterceptor"<\/span>\/><\/span>
<\/span><\/span>    <\/mvc:interceptor><\/span>
<\/span><\/span><\/mvc:interceptors><\/span>
<\/span><\/span><\/code><\/pre>3.3 拦截器实现<\/h3>
public<\/span> class<\/span> CSRFInterceptor<\/span> extends<\/span> HandlerInterceptorAdapter {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> boolean<\/span> preHandle<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response,<\/span> Object handler)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        HandlerMethod handlerMethod =<\/span> (<\/span>HandlerMethod)<\/span> handler;<\/span>
<\/span><\/span>        Method method =<\/span> handlerMethod.<\/span>getMethod<\/span>();<\/span>
<\/span><\/span>        VerifyCSRFToken verifyCSRFToken =<\/span> method.<\/span>getAnnotation<\/span>(<\/span>VerifyCSRFToken.<\/span>class<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 如果配置了校验csrf token校验,则校验
<\/span><\/span><\/span><\/span>        if<\/span> (<\/span>verifyCSRFToken !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            \/\/ 是否为Ajax标志
<\/span><\/span><\/span><\/span>            String xrq =<\/span> request.<\/span>getHeader<\/span>(<\/span>"X-Requested-With"<\/span>);<\/span>
<\/span><\/span>            
<\/span><\/span>            \/\/ 非法的跨站请求校验
<\/span><\/span><\/span><\/span>            if<\/span> (<\/span>verifyCSRFToken.<\/span>verify<\/span>()<\/span> &&<\/span> !<\/span>verifyCSRFToken(<\/span>request))<\/span> {<\/span>
<\/span><\/span>                if<\/span> (<\/span>StrUtil.<\/span>isEmpty<\/span>(<\/span>xrq))<\/span> {<\/span>
<\/span><\/span>                    \/\/ form表单提交,url get方式,刷新csrftoken并跳转提示页面
<\/span><\/span><\/span><\/span>                    String csrftoken =<\/span> CSRFTokenUtil.<\/span>generate<\/span>(<\/span>request);<\/span>
<\/span><\/span>                    request.<\/span>getSession<\/span>().<\/span>setAttribute<\/span>(<\/span>"CSRFToken"<\/span>,<\/span> csrftoken);<\/span>
<\/span><\/span>                    response.<\/span>setContentType<\/span>(<\/span>"application\/json;charset=UTF-8"<\/span>);<\/span>
<\/span><\/span>                    PrintWriter out =<\/span> response.<\/span>getWriter<\/span>();<\/span>
<\/span><\/span>                    out.<\/span>print<\/span>(<\/span>"非法请求"<\/span>);<\/span>
<\/span><\/span>                    response.<\/span>flushBuffer<\/span>();<\/span>
<\/span><\/span>                    return<\/span> false<\/span>;<\/span>
<\/span><\/span>                }<\/span> else<\/span> {<\/span>
<\/span><\/span>                    \/\/ 刷新CSRFToken,返回错误码,用于ajax处理,可自定义
<\/span><\/span><\/span><\/span>                    String csrftoken =<\/span> CSRFTokenUtil.<\/span>generate<\/span>(<\/span>request);<\/span>
<\/span><\/span>                    request.<\/span>getSession<\/span>().<\/span>setAttribute<\/span>(<\/span>"CSRFToken"<\/span>,<\/span> csrftoken);<\/span>
<\/span><\/span>                    ResultCode rc =<\/span> CodeConstant.<\/span>CSRF_ERROR<\/span>;<\/span>
<\/span><\/span>                    response.<\/span>setContentType<\/span>(<\/span>"application\/json;charset=UTF-8"<\/span>);<\/span>
<\/span><\/span>                    PrintWriter out =<\/span> response.<\/span>getWriter<\/span>();<\/span>
<\/span><\/span>                    out.<\/span>print<\/span>(<\/span>JSONObject.<\/span>toJSONString<\/span>(<\/span>rc));<\/span>
<\/span><\/span>                    response.<\/span>flushBuffer<\/span>();<\/span>
<\/span><\/span>                    return<\/span> false<\/span>;<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> true<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> postHandle<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response,<\/span> Object handler,<\/span> ModelAndView modelAndView)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 第一次生成token
<\/span><\/span><\/span><\/span>        if<\/span> (<\/span>modelAndView !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            if<\/span> (<\/span>request.<\/span>getSession<\/span>(<\/span>false<\/span>)<\/span> ==<\/span> null<\/span> ||<\/span> StrUtil.<\/span>isEmpty<\/span>((<\/span>String)<\/span> request.<\/span>getSession<\/span>(<\/span>false<\/span>).<\/span>getAttribute<\/span>(<\/span>"CSRFToken"<\/span>)))<\/span> {<\/span>
<\/span><\/span>                request.<\/span>getSession<\/span>().<\/span>setAttribute<\/span>(<\/span>"CSRFToken"<\/span>,<\/span> CSRFTokenUtil.<\/span>generate<\/span>(<\/span>request));<\/span>
<\/span><\/span>                return<\/span>;<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 刷新token
<\/span><\/span><\/span><\/span>        HandlerMethod handlerMethod =<\/span> (<\/span>HandlerMethod)<\/span> handler;<\/span>
<\/span><\/span>        Method method =<\/span> handlerMethod.<\/span>getMethod<\/span>();<\/span>
<\/span><\/span>        RefreshCSRFToken refreshAnnotation =<\/span> method.<\/span>getAnnotation<\/span>(<\/span>RefreshCSRFToken.<\/span>class<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 跳转到一个新页面 刷新token
<\/span><\/span><\/span><\/span>        String xrq =<\/span> request.<\/span>getHeader<\/span>(<\/span>"X-Requested-With"<\/span>);<\/span>
<\/span><\/span>        if<\/span> (<\/span>refreshAnnotation !=<\/span> null<\/span> &&<\/span> refreshAnnotation.<\/span>refresh<\/span>()<\/span> &&<\/span> StrUtil.<\/span>isEmpty<\/span>(<\/span>xrq))<\/span> {<\/span>
<\/span><\/span>            request.<\/span>getSession<\/span>().<\/span>setAttribute<\/span>(<\/span>"CSRFToken"<\/span>,<\/span> CSRFTokenUtil.<\/span>generate<\/span>(<\/span>request));<\/span>
<\/span><\/span>            return<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 校验成功 刷新token 可以防止重复提交
<\/span><\/span><\/span><\/span>        VerifyCSRFToken verifyAnnotation =<\/span> method.<\/span>getAnnotation<\/span>(<\/span>VerifyCSRFToken.<\/span>class<\/span>);<\/span>
<\/span><\/span>        if<\/span> (<\/span>verifyAnnotation !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            if<\/span> (<\/span>verifyAnnotation.<\/span>verify<\/span>())<\/span> {<\/span>
<\/span><\/span>                if<\/span> (<\/span>StrUtil.<\/span>isEmpty<\/span>(<\/span>xrq))<\/span> {<\/span>
<\/span><\/span>                    request.<\/span>getSession<\/span>().<\/span>setAttribute<\/span>(<\/span>"CSRFToken"<\/span>,<\/span> CSRFTokenUtil.<\/span>generate<\/span>(<\/span>request));<\/span>
<\/span><\/span>                }<\/span> else<\/span> {<\/span>
<\/span><\/span>                    Map<<\/span>String,<\/span> String><\/span> map =<\/span> new<\/span> HashMap<<\/span>String,<\/span> String>();<\/span>
<\/span><\/span>                    map.<\/span>put<\/span>(<\/span>"CSRFToken"<\/span>,<\/span> CSRFTokenUtil.<\/span>generate<\/span>(<\/span>request));<\/span>
<\/span><\/span>                    response.<\/span>setContentType<\/span>(<\/span>"application\/json;charset=UTF-8"<\/span>);<\/span>
<\/span><\/span>                    OutputStream out =<\/span> response.<\/span>getOutputStream<\/span>();<\/span>
<\/span><\/span>                    out.<\/span>write<\/span>((<\/span>",'csrf':"<\/span> +<\/span> JSONObject.<\/span>toJSONString<\/span>(<\/span>map)).<\/span>getBytes<\/span>(<\/span>"UTF-8"<\/span>));<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/**
<\/span><\/span><\/span>     * 处理跨站请求伪造 针对需要登录后才能处理的请求,验证CSRFToken校验
<\/span><\/span><\/span>     *\/<\/span>
<\/span><\/span>    protected<\/span> boolean<\/span> verifyCSRFToken<\/span>(<\/span>HttpServletRequest request)<\/span> {<\/span>
<\/span><\/span>        \/\/ 请求中的CSRFToken
<\/span><\/span><\/span><\/span>        String requstCSRFToken =<\/span> request.<\/span>getHeader<\/span>(<\/span>"CSRFToken"<\/span>);<\/span>
<\/span><\/span>        if<\/span> (<\/span>StrUtil.<\/span>isEmpty<\/span>(<\/span>requstCSRFToken))<\/span> {<\/span>
<\/span><\/span>            return<\/span> false<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        
<\/span><\/span>        String sessionCSRFToken =<\/span> (<\/span>String)<\/span> request.<\/span>getSession<\/span>().<\/span>getAttribute<\/span>(<\/span>"CSRFToken"<\/span>);<\/span>
<\/span><\/span>        if<\/span> (<\/span>StrUtil.<\/span>isEmpty<\/span>(<\/span>sessionCSRFToken))<\/span> {<\/span>
<\/span><\/span>            return<\/span> false<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        
<\/span><\/span>        return<\/span> requstCSRFToken.<\/span>equals<\/span>(<\/span>sessionCSRFToken);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. ESAPI实现CSRF防护<\/h2>
4.1 生成CSRF Token<\/h3>
private<\/span> String csrfToken =<\/span> resetCSRFToken();<\/span>
<\/span><\/span>
<\/span><\/span>private<\/span> String resetCSRFToken<\/span>()<\/span> {<\/span>
<\/span><\/span>    String csrfToken =<\/span> ESAPI.<\/span>randomizer<\/span>().<\/span>getRandomString<\/span>(<\/span>8<\/span>,<\/span> DefaultEncoder.<\/span>CHAR_ALPHANUMERICS<\/span>);<\/span>
<\/span><\/span>    return<\/span> csrfToken;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.2 在表单中添加CSRF Token<\/h3>
对于需要保护的表单，增加一个隐藏的csrfToken字段：<\/p>
<!-- URL上 -->
<a href='<%=ESAPI.httpUtilities().addCSRFToken("\/zhutougg\/main?function=listUser")%>'>查询用户<\/a>

<!-- 表单中 -->
<input type="hidden" name="ctoken" value="<%=ESAPI.DefaultHTTPUtilities.getCSRFToken() %>">
<\/code><\/pre>
4.3 服务器端验证<\/h3>
@RequestMapping<\/span>(<\/span>value=<\/span>"\/admin\/login"<\/span>,<\/span>method =<\/span> RequestMethod.<\/span>POST<\/span>)<\/span>
<\/span><\/span>public<\/span> String listUser<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response,<\/span> Model model)<\/span> {<\/span>
<\/span><\/span>    ESAPI.<\/span>httpUtilities<\/span>().<\/span>verifyCSRFToken<\/span>(<\/span>request);<\/span>
<\/span><\/span>    \/\/ 其他业务逻辑
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.4 用户退出时移除token<\/h3>
ESAPI.<\/span>authenticator<\/span>().<\/span>getCurrentUser<\/span>().<\/span>logout<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>5. 最佳实践总结<\/h2>

重要操作必须使用POST请求<\/strong>：GET请求容易被利用进行CSRF攻击<\/li>
使用CSRF Token<\/strong>：为每个表单生成唯一的token，并在服务器端验证<\/li>
验证Referer头<\/strong>：检查请求来源是否合法<\/li>
设置SameSite Cookie属性<\/strong>：限制第三方网站使用Cookie<\/li>
双重提交Cookie<\/strong>：将token同时放在Cookie和请求参数中，服务器验证两者是否一致<\/li>
定期更换Token<\/strong>：防止token被窃取后长期有效<\/li>
敏感操作二次验证<\/strong>：如密码修改等操作要求用户重新输入密码<\/li>
<\/ol>
通过以上措施，可以有效防止CSRF攻击，保护Web应用的安全。<\/p>
J2EE CSRF漏洞防护详解<\/h1>

1. CSRF漏洞概述<\/h2> CSRF(Cross-Site Request Forgery)跨站请求伪造是一种常见的Web安全漏洞，攻击者诱导受害者进入第三方网站，在受害者已登录目标网站的情况下，利用受害者的身份凭证执行非预期的操作。<\/p>

2. Struts框架CSRF防护<\/h2>

3. SpringMVC框架CSRF防护<\/h2>

4. ESAPI实现CSRF防护<\/h2>

1. CSRF漏洞概述<\/h2>
CSRF(Cross-Site Request Forgery)跨站请求伪造是一种常见的Web安全漏洞，攻击者诱导受害者进入第三方网站，在受害者已登录目标网站的情况下，利用受害者的身份凭证执行非预期的操作。<\/p>
