-2

所以基本上,JSF 试图渲染一个指向ajax4jsfCSS 文件的链接,其中包含 "Xx< XaXaXXaXaX>xX作为它的一部分。这当然会立即引发一个异常。

关键是这怎么回事:

org/"Xx< XaXaXXaXaX>xX/renderkit/html/css/basic_classes.xcss

什么时候应该是这个 org/richfaces/renderkit/html/css/basic_classes.xcss。有没有可能我们有某种 XSS 攻击导致我们出现这种情况?"Xx< XaXaXXaXaX>xX在进入系统时似乎是一个非常流行的字符串......

有人如何解决这个问题?

编辑

在richfaces-ui jar 里面我找到了这个文件:richfaces-ui-3.3.1.GA\META-INF\resources-config.xml

这有这个资源:

< name >org/richfaces/renderkit/html/css/basic_classes.xcss< /name >

< path >org/richfaces/renderkit/html/css/basic_classes.xcss< /path >

但似乎不知何故它没有得到正确,因为我后来得到了这个错误:

2013-09-25 19:48:02,297 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/].[Faces Servlet]] (http-10.60.67.140-8443-6) Servlet.service() for servlet Faces Servlet threw exception
org.ajax4jsf.resource.ResourceNotFoundException: Resource not registered : org/"Xx<XaXaXXaXaX>xX/renderkit/html/css/basic_classes.xcss
    at org.ajax4jsf.resource.ResourceBuilderImpl.getResource(ResourceBuilderImpl.java:406)
    at org.ajax4jsf.resource.ResourceBuilderImpl.getResourceForKey(ResourceBuilderImpl.java:350)
    at org.ajax4jsf.resource.InternetResourceService.serviceResource(InternetResourceService.java:152)
    at org.ajax4jsf.resource.InternetResourceService.serviceResource(InternetResourceService.java:141)
    at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:488)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
    at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:905)
    at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:592)
    at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:2036)
    at java.lang.Thread.run(Unknown Source)

顺便说一句,这只发生在生产中。我读过 JSF 1.2 容易受到 XSS 攻击,所以在看到“Xx< XaXaXXaXaX>xX是这里的问题”之后,这意味着可以以某种方式注入......

4

1 回答 1

1

Ok, it seems that a bot or something of the sort was trying to access to that kind of files modifying slightly the URLs of the resources. Our decision so far is to restrain all the wrong request through the web.xml.

As a note aside, we are thinking that this could be an attacker trying to figure out the resource locations of our system.

于 2013-09-30T11:48:44.703 回答