spring mvc拦截POST请求防CSRF攻击
[1].[代码] CsrfTokenManager 用于管理csrfToken相关 跳至 [1] [2] [3] [4] [5] [6] [7]
?| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
package
com.uncle5.pubrub.web.common;
import
java.util.UUID;
import
javax.servlet.http.HttpServletRequest;
import
javax.servlet.http.HttpSession;
public
final
class
CsrfTokenManager {
//
隐藏域参数名称
static
final
String CSRF_PARAM_NAME = "CSRFToken";
//
session中csrfToken参数名称
public
static
final
String CSRF_TOKEN_FOR_SESSION_ATTR_NAME = CsrfTokenManager.class
.getName()
+ ".tokenval";
private
CsrfTokenManager() {
};
//
在session中创建csrfToken
public
static
String createTokenForSession(HttpSession session) {
String
token = null;
synchronized
(session) {
token
= (String) session
.getAttribute(CSRF_TOKEN_FOR_SESSION_ATTR_NAME);
if
(null
== token) {
token
= UUID.randomUUID().toString();
session.setAttribute(CSRF_TOKEN_FOR_SESSION_ATTR_NAME,
token);
}
}
return
token;
}
public
static
String getTokenFromRequest(HttpServletRequest request) {
return
request.getParameter(CSRF_PARAM_NAME);
}
}
|
[2].[代码] CsrfRequestDataValueProcessor 自动创建hidden的csrfToken域的类 跳至 [1] [2] [3] [4] [5] [6] [7]
?| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
package
com.uncle5.pubrub.web.common;
import
java.util.Map;
import
javax.servlet.http.HttpServletRequest;
import
org.springframework.stereotype.Component;
import
org.springframework.web.servlet.support.RequestDataValueProcessor;
import
com.google.common.collect.Maps;
|
