Spring MVC 和 Jetty：防止在重定向到外部站点时在 RedirectView 中使用 jsessionid

发布于 2024-09-02 20:16:10 字数 435 浏览 9 评论 0原文

在带有 Jetty 的 Spring MVC 2.5 中（可能带有任何 servlet 容器），我想通过 ModelAndView 中视图名称的神奇“redirect:”前缀使用 RedirectView 重定向到外部站点。

不幸的是，RedirectView 使用response.encodeRedirectURL()，所以我的（其他想要的）会话ID 被附加到URL 中。将会话 ID 携带到外部站点不仅存在安全风险，“;jsessionid=gagnbaba”字符串还可能被解释为其他站点上的 ContextPath/PathInfo 的一部分，从而导致错误的 URL。

除了实现我自己的ExternalRedirectView...并且还破解ViewResolver来解释“externalRedirect：”前缀之外，还有什么“弹性”选项吗？（要求 cookie 不是一个选项。）

Moritz

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

情域 2024-09-09 20:16:10

现在这是我在上面的评论中计划的ExternalRedirectView...就是这样做的。

import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.web.servlet.view.RedirectView;

/** variant of RedirectView, will not add a session id to the url
 */
public class ExternalRedirectView extends RedirectView {
    public ExternalRedirectView(String url, boolean contextRelative) {
        super(url, contextRelative);
    }

    /** copied from @link{RedirectView#sendRedirect} and removed calls to
     * reponse.encodeRedirectURL()
     */
    @Override
    protected void sendRedirect( HttpServletRequest request,
            HttpServletResponse response, String targetUrl,
            boolean http10Compatible ) throws IOException {
        if (http10Compatible) {
            // Always send status code 302.
            response.sendRedirect(targetUrl);
        }
        else {
            // Correct HTTP status code is 303, in particular for POST requests.
            response.setStatus(303);
            response.setHeader("Location", targetUrl);
        }
    }
}

我也已经有了自己的 ViewResolver，其中添加了新的 externalRedirect: magic vier 名称前缀的功能，现在显示为：

class MyViewResolver extends AbstractCachingViewResolver implements BeanFactoryAware {
[...]
    private static final String EXTERNAL_REDIRECT_URL_PREFIX = "externalRedirect:";
[...]
    @Override
    protected View loadView( String viewName, Locale locale ) throws Exception {
        View view;
        if (viewName.startsWith(UrlBasedViewResolver.REDIRECT_URL_PREFIX)) 
        {
            view = new RedirectView(viewName.substring(UrlBasedViewResolver.REDIRECT_URL_PREFIX.length()), true);
        }
        else if (viewName.startsWith(EXTERNAL_REDIRECT_URL_PREFIX)) 
        {
            view = new ExternalRedirectView(viewName.substring(EXTERNAL_REDIRECT_URL_PREFIX.length()), true);
        }
        else

[...]
感谢所有阅读本文并思考它的人。

Now here is ExternalRedirectView as planned in my comment above... did it that way.

import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.web.servlet.view.RedirectView;

/** variant of RedirectView, will not add a session id to the url
 */
public class ExternalRedirectView extends RedirectView {
    public ExternalRedirectView(String url, boolean contextRelative) {
        super(url, contextRelative);
    }

    /** copied from @link{RedirectView#sendRedirect} and removed calls to
     * reponse.encodeRedirectURL()
     */
    @Override
    protected void sendRedirect( HttpServletRequest request,
            HttpServletResponse response, String targetUrl,
            boolean http10Compatible ) throws IOException {
        if (http10Compatible) {
            // Always send status code 302.
            response.sendRedirect(targetUrl);
        }
        else {
            // Correct HTTP status code is 303, in particular for POST requests.
            response.setStatus(303);
            response.setHeader("Location", targetUrl);
        }
    }
}

I also already had my own ViewResolver in which I added the functionality for the new externalRedirect: magic vier name prefix, which now reads:

class MyViewResolver extends AbstractCachingViewResolver implements BeanFactoryAware {
[...]
    private static final String EXTERNAL_REDIRECT_URL_PREFIX = "externalRedirect:";
[...]
    @Override
    protected View loadView( String viewName, Locale locale ) throws Exception {
        View view;
        if (viewName.startsWith(UrlBasedViewResolver.REDIRECT_URL_PREFIX)) 
        {
            view = new RedirectView(viewName.substring(UrlBasedViewResolver.REDIRECT_URL_PREFIX.length()), true);
        }
        else if (viewName.startsWith(EXTERNAL_REDIRECT_URL_PREFIX)) 
        {
            view = new ExternalRedirectView(viewName.substring(EXTERNAL_REDIRECT_URL_PREFIX.length()), true);
        }
        else

[...]
Thanks to everyone who read this and thought about it.

回复收藏 0 原文

~没有更多了~