GWT:XSRF:零星丢失 X-GWT-Permutation 标头
当 RemoteServiceServlet.checkPermutationStrongName() 无法在 HttpServletRequest 中找到 X-GWT-Permutation HTTP 标头时,我的应用程序偶尔会收到 GWT 引发的 XSRF 攻击错误。发生错误时,日志文件中会出现以下行:
WARNING: doUnexpectedFailure was invoked.
java.lang.SecurityException: Blocked request without GWT permutation header (XSRF attack?)
Firefox 3.x 和 4.0 的托管模式和 Web 模式均出现此问题。
我已经运行了 Live Headers,并且 HTTP 标头确实丢失了。
该应用程序是普通的 GWT RPC。
有什么想法吗?
失败标头
http://127.0.0.1:8888/org.drools.guvnor.Guvnor/guvnorService
POST /org.drools.guvnor.Guvnor/guvnorService HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.10 (maverick) Firefox/3.6.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Length: 154
Content-Type: text/x-gwt-rpc; charset=utf-8
Referer: http://127.0.0.1:8888/org.drools.guvnor.Guvnor/Guvnor.html?gwt.codesv...
Cookie: standalone_usage=true
Pragma: no-cache
Cache-Control: no-cache
7|0|4|http://127.0.0.1:8888/org.drools.guvnor.Guvnor/|
6808FDC8A4FA3491026441B59E4DB72A|
org.drools.guvnor.client.rpc.RepositoryService|subscribe|1|2|3|4|0|
HTTP/1.1 400 Bad Request
Content-Type: text/plain;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Wed, 23 Mar 2011 20:11:04 GMT
Server: Apache-Coyote/1.1
Connection: close
成功标头
http://127.0.0.1:8888/org.drools.guvnor.Guvnor/guvnorService
POST /org.drools.guvnor.Guvnor/guvnorService HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.10 (maverick) Firefox/3.6.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
X-GWT-Permutation: HostedMode
X-GWT-Module-Base: http://127.0.0.1:8888/org.drools.guvnor.Guvnor/
Content-Type: text/x-gwt-rpc; charset=utf-8
Referer: http://127.0.0.1:8888/org.drools.guvnor.Guvnor/Guvnor.html?gwt.codesv...
Content-Length: 154
Cookie: standalone_usage=true
Pragma: no-cache
Cache-Control: no-cache
7|0|4|http://127.0.0.1:8888/org.drools.guvnor.Guvnor/|
41FA1D8B82DBBBC875605A4A29670D99|
org.drools.guvnor.client.rpc.RepositoryService|subscribe|1|2|3|4|0|
HTTP/1.1 200 OK
Content-Disposition: attachment
Content-Type: application/json;charset=utf-8
Content-Length: 48
Date: Wed, 23 Mar 2011 20:15:38 GMT
Server: Apache-Coyote/1.1
My application receives occasional XSRF Attack errors raised by GWT when RemoteServiceServlet.checkPermutationStrongName() fails to find a X-GWT-Permutation HTTP Header in the HttpServletRequest. When the error occurs, the following line appears in the log file:
WARNING: doUnexpectedFailure was invoked.
java.lang.SecurityException: Blocked request without GWT permutation header (XSRF attack?)
The problem has been experienced on Firefox 3.x and 4.0 in both Hosted Mode and Web Mode.
I've ran Live Headers and the HTTP header is indeed missing.
The application is vanilla GWT RPC.
Any ideas?
Failure headers
http://127.0.0.1:8888/org.drools.guvnor.Guvnor/guvnorService
POST /org.drools.guvnor.Guvnor/guvnorService HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.10 (maverick) Firefox/3.6.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Length: 154
Content-Type: text/x-gwt-rpc; charset=utf-8
Referer: http://127.0.0.1:8888/org.drools.guvnor.Guvnor/Guvnor.html?gwt.codesv...
Cookie: standalone_usage=true
Pragma: no-cache
Cache-Control: no-cache
7|0|4|http://127.0.0.1:8888/org.drools.guvnor.Guvnor/|
6808FDC8A4FA3491026441B59E4DB72A|
org.drools.guvnor.client.rpc.RepositoryService|subscribe|1|2|3|4|0|
HTTP/1.1 400 Bad Request
Content-Type: text/plain;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Wed, 23 Mar 2011 20:11:04 GMT
Server: Apache-Coyote/1.1
Connection: close
Success headers
http://127.0.0.1:8888/org.drools.guvnor.Guvnor/guvnorService
POST /org.drools.guvnor.Guvnor/guvnorService HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.10 (maverick) Firefox/3.6.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
X-GWT-Permutation: HostedMode
X-GWT-Module-Base: http://127.0.0.1:8888/org.drools.guvnor.Guvnor/
Content-Type: text/x-gwt-rpc; charset=utf-8
Referer: http://127.0.0.1:8888/org.drools.guvnor.Guvnor/Guvnor.html?gwt.codesv...
Content-Length: 154
Cookie: standalone_usage=true
Pragma: no-cache
Cache-Control: no-cache
7|0|4|http://127.0.0.1:8888/org.drools.guvnor.Guvnor/|
41FA1D8B82DBBBC875605A4A29670D99|
org.drools.guvnor.client.rpc.RepositoryService|subscribe|1|2|3|4|0|
HTTP/1.1 200 OK
Content-Disposition: attachment
Content-Type: application/json;charset=utf-8
Content-Length: 48
Date: Wed, 23 Mar 2011 20:15:38 GMT
Server: Apache-Coyote/1.1
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我的应用程序也面临同样的问题。看起来 FireFox 3.x 在 XmlHttpRequest 对象中设置时不会发送额外的请求标头!
对此问题的快速解决方法是在服务器端重写方法 checkPermutationStrongName() 的 RPC 实现中使用空实现。
我认为我们需要将此问题报告给 FireFox 以获得正确的修复。
I am facing the same problem with my application. Looks like FireFox 3.x is not sending extra request header when set in the XmlHttpRequest object!
Quick fix to this is in the RPC implementation at server side override method checkPermutationStrongName() with empty implementation.
I think we need to report this as an issue to FireFox to get a proper fix.
根据我的经验,FF 有时会丢弃任何以“X-”开头的标头。
Based on my experience, FF occasionally drops any header that begins with "X-".
这个错误第一次出现在我们的日志中是在 3 月 30 日,所以我认为它可能与 FF 4.0 有关(FF4 于 22.03 发布)。几天前我们也从 GWT 2.0.4 迁移到 2.1.1。这也可以是一个暗示。我们的应用程序在生产环境上经过了 7 个月的严格测试。也许这些信息会对某人有所帮助。我正在寻找检测浏览器缓存中过时的 gwt 应用程序的方法。当应用程序部署在服务器上时,我检查当前版本生成的排列名称并将其存储到列表中。每个 RPC 请求都会检查其发送的 gwt 排列是否存在。由于这个错误,我的机制被炸毁了。
This error appeared in our logs for first time on March 30, so it can be related to FF 4.0, I think (FF4 was shipped on 22.03). Few days before we also migrated from GWT 2.0.4 to 2.1.1. This also can be a hint. Our app is heavily tested on production envirnoment for 7 months. Maybe this information will help someone. I was looking for method of detecting an outdated gwt app in browser cache. When application is deployed on server, I check permutation names generated with current build and store it to a list. Every RPC request is checked for existence of gwt permutation it was sent by. With this error my mechanism is blown up.