当前位置: 动力学知识库 > 问答 > 编程问答 >

Restrict URL tampering in Spring Framework 3.1

问题描述:

I am building an application using Spring Framework 3.1

I am having my controllers mapped with url containing path variables that stands for some id.

But I don't want the user to tamper with the url and change the path variable value manually.

I want to restrict them from doing so.

I have already tried using the ShallowEtagHeaderFilter. But its not working the way it suppose to.

I don't know whether I missed any configuration for the filter or its not working at all.

here is my web.xml where I have configured the dispatcher servlet and filter.

<?xml version="1.0" encoding="UTF-8"?>

<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">

<context-param>

<param-name>contextConfigLocation</param-name>

<param-value>/WEB-INF/applicationContext.xml</param-value>

</context-param>

<listener>

<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>

</listener>

<servlet>

<servlet-name>dispatcher</servlet-name>

<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>

<load-on-startup>1</load-on-startup>

</servlet>

<filter>

<filter-name>encodingFilter</filter-name>

<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>

<init-param>

<param-name>encoding</param-name>

<param-value>UTF-8</param-value>

</init-param>

<init-param>

<param-name>forceEncoding</param-name>

<param-value>true</param-value>

</init-param>

</filter>

<filter>

<filter-name>eTagFilter</filter-name>

<filter-class>com.abc.config.EtagFilter</filter-class>

</filter>

<servlet-mapping>

<servlet-name>dispatcher</servlet-name>

<url-pattern>/</url-pattern>

</servlet-mapping>

<filter-mapping>

<filter-name>encodingFilter</filter-name>

<url-pattern>/</url-pattern>

</filter-mapping>

<filter-mapping>

<filter-name>eTagFilter</filter-name>

<servlet-name>dispatcher</servlet-name>

</filter-mapping>

<session-config>

<session-timeout>

30

</session-timeout>

</session-config>

</web-app>

Please help me with this.

Thanks in advance.

网友答案:

I don't understand how ShallowEtagHeaderFilter fits into this picture, I think you misunderstood its functionality. It's supposed to reduce network traffic by taking pages from the browser cache. That's a totally different scenario from yours.

Basically: if you don't want users to tamper with URLs, you will need to have a way to verify that the URL was created by your application, usually a checksum parameter of some sort with an algorithm that's not easy to guess.

e.g. /site/12/user/12345/aB where aB is calculated based on /site/12/user/12345. Now if the user changes the URL to /site/13/user/12345/aB the checksum is wrong and you can send a 404 or a 400 or whatever error you want to send.

I'd probably implement the checksum check as a Filter and write a utility method that creates URLs with checksum based on plain URLs (possibly you'll need a JSP tag as well)

分享给朋友:
您可能感兴趣的文章:
随机阅读: