我正在开发一个在 Google App Engine 上运行的 GWT 应用程序,想知道我是否需要担心跨站点请求伪造,或者这是否会自动为我处理?
对于每个需要身份验证的 RPC 请求,我有以下代码:
public class BookServiceImpl extends RemoteServiceServlet implements
BookService {
public void deleteInventory(Key<Inventory> inventoryKey) throws NotLoggedInException, InvalidStateException, NotFoundException {
DAO dao = new DAO();
// This will throw NotLoggedInException if user is not logged in
User user = dao.getCurrentUser();
// Do deletion here
}
}
public final class DAO extends DAOBase {
public User getCurrentUser() throws NotLoggedInException {
currentUser = UserServiceFactory.getUserService().getCurrentUser();
if(currentUser == null) {
throw new NotLoggedInException();
}
return currentUser;
}
我找不到任何有关 UserService 如何检查身份验证的文档。依赖上面的代码就足够了还是我需要更多?我是这方面的初学者,但据我所知,避免 CSRF 攻击的一些策略是:
- 在
请求负载而不仅仅是
检查 cookie
- 检查 HTTP
Referer 标头
我可以看到我从 Google 设置了 cookie,其看起来像 SID 值,但我无法从有效负载中的序列化 Java 对象判断是否传递了令牌。我也不知道是否使用了 Referer 标头。
那么,我担心的不是一个问题吗?如果不是,那么最好的策略是什么?这是一个很常见的问题,必须有标准的解决方案......
I'm developing a GWT app running on the Google App Engine and wondering if I need to worry about Cross-site request forgery or is that automatically taken care of for me?
For every RPC request that requires authentication, I have the following code:
public class BookServiceImpl extends RemoteServiceServlet implements
BookService {
public void deleteInventory(Key<Inventory> inventoryKey) throws NotLoggedInException, InvalidStateException, NotFoundException {
DAO dao = new DAO();
// This will throw NotLoggedInException if user is not logged in
User user = dao.getCurrentUser();
// Do deletion here
}
}
public final class DAO extends DAOBase {
public User getCurrentUser() throws NotLoggedInException {
currentUser = UserServiceFactory.getUserService().getCurrentUser();
if(currentUser == null) {
throw new NotLoggedInException();
}
return currentUser;
}
I couldn't find any documentation on how the UserService checks authentication. Is it enough to rely on the code above or do I need to to more? I'm a beginner at this, but from what I understand to avoid CSRF attacks some of the strategies are:
- adding an authentication token in
the request payload instead of just
checking a cookie
- checking the HTTP
Referer header
I can see that I have cookies set from Google with what look like SID values, but I can't tell from the serialized Java objects in the payloads if tokens are being passed or not. I also don't know if the Referer header is being used or not.
So, am I worrying about a non-issue? If not, what is the best strategy here? This is a common enough problem, that there must be standard solutions out there...
发布评论
评论(1)
如果您将相同的代码放入常规 servlet 中,那么您肯定容易受到 XSRF 的攻击。但由于您使用的是 GWT
RemoteServiceServlet- 答案取决于您使用的 GWT 版本。从尚未发布的 GWT 2.1 开始,RPC 机制添加请求标头并验证这些标头在 RemoteServiceServlet 中是否存在。 这有其局限性 - 特别是,旧版本的 flash 允许您从不同的域发送请求标头,但这确实使潜在攻击者的事情变得更加困难。
如果您想充分保护自己免受 XSRF 的侵害,请参阅 Lombardi 的开发博客。该博客讨论了两种技术。第一个是简单的更改,将 2.1 移植到旧版本的 GWT。第二种方法需要将会话标识符复制为请求参数,并且是防止 XSRF 的推荐方法。
参考文献
If you were to put the same code in a regular servlet, you'd surely be vulnerable to XSRF. But since you are using GWTs
RemoteServiceServlet- the answer depends on the version of GWT you are using.Starting with the yet-to-be-release GWT 2.1, the RPC mechanism adds request headers and validates the presence of these headers in RemoteServiceServlet. This has its limitations - in particular, older versions of flash allow you to send the request headers from a different domain, but it does make things more difficult for a potential attacker.
If you want to adequately protect yourself from XSRF, refer to Lombardi's Development blog. The blog discusses two techniques. The first is a simple change that ports 2.1 changes to older versions of GWT. The second approach requires duplicating the session identifier as a request parameter, and is the recommended way to protect against XSRF.
References