OWASP

OWASP

关注
发信
关注(28)粉丝(399)

java - CSRFGuard中的NPE

我想保护我的应用程序免受csrf的侵害,因此我添加了owasp.csrf.jar并按照here所述配置了我的应用程序,然后使用csrf token 标记将隐藏字段添加到我的一种表单中,如下所示:

<input type="hidden" name="<csrf:token-name/>" value="<csrf:token-value/>" />

但是在渲染页面时,我在 TokenNameTag.java中得到了NPE。

我错过了什么?

更新

堆栈跟踪:
2013-04-15 10:46:49,985 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/myapp].[jsp]]  Servlet.service() for servlet jsp threw exception
java.lang.NullPointerException
    at org.owasp.csrfguard.tag.TokenNameTag.doStartTag(TokenNameTag.java:45)
    at org.apache.jsp.struts.config.configurationMain_jsp._jspx_meth_csrf_005ftoken_002dname_005f0(configurationMain_jsp.java:7405)
    at org.apache.jsp.struts.config.configurationMain_jsp._jspx_meth_html_005fform_005f7(configurationMain_jsp.java:6812)
    at org.apache.jsp.struts.config.configurationMain_jsp._jspx_meth_logic_005fmatch_005f3(configurationMain_jsp.java:6695)
    at org.apache.jsp.struts.config.configurationMain_jsp._jspService(configurationMain_jsp.java:1712)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:387)
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320)
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:687)
    at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:469)
    at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:403)
    at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
    at org.apache.struts.action.RequestProcessor.doForward(RequestProcessor.java:1069)
    at org.apache.struts.action.RequestProcessor.processForwardConfig(RequestProcessor.java:455)
    at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:279)
    at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
    at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:507)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:687)
    at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:469)
    at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:403)
    at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
    at org.apache.struts.action.RequestProcessor.doForward(RequestProcessor.java:1069)
    at org.apache.struts.action.RequestProcessor.processForwardConfig(RequestProcessor.java:455)
    at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:279)
    at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
    at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:507)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
    at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    at java.lang.Thread.run(Thread.java:662)

最佳答案

第45行上的TokenNameTag.java也有类似的问题。这是我的堆栈跟踪

Stacktrace:] with root cause
java.lang.NullPointerException
at java.io.Writer.write(Writer.java:157)
at org.owasp.csrfguard.tag.TokenNameTag.doStartTag(TokenNameTag.java:45)
at org.apache.jsp.position_005fdetails_jsp._jspx_meth_csrf_005ftokenname_005f0(position_005fdetails_jsp.java:4768) org.apache.jsp.position_005fdetails_jsp._jspService(position_005fdetails_jsp.java:1255) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)                                                                                                                               at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)`

我的问题是我没有将以下内容复制到web.xml文件中
<listener>
            <listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
       </listener>
       <listener>
            <listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
       </listener>
       <context-param>
             <param-name>Owasp.CsrfGuard.Config</param-name>
             <param-value>Owasp.CsrfGuard.properties</param-value>
       </context-param>


<servlet>
     <servlet-name>JavaScriptServlet</servlet-name>
     <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>

    </servlet>
    <servlet-mapping>
     <servlet-name>JavaScriptServlet</servlet-name>
     <url-pattern>/JavaScriptServlet</url-pattern>
</servlet-mapping>


<filter>
        <filter-name>CSRFGuard</filter-name>
        <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>CSRFGuard</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

完成此操作后,它对我有用。

(出于完整性考虑,我将添加owasp.csrfguard-3.1.0.jar必须在lib目录中,并且Owasp.CsrfGuard.properties也必须在正确的目录中,其中一种可能是应用程序类路径-参见https://www.owasp.org/index.php/CSRFGuard_3_Installation)

09-26 06:30
Powered by LMLPHP ©2024 OWASP 0.028251