0

目前,我正在从事一个 vaadin 项目,我正在努力防止对该项目的点击劫持攻击。搜索解决方案后,我发现在 web.xml 中添加以下代码段会起作用:

<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    <init-param>
        <param-name>antiClickJackingEnabled</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>antiClickJackingOption</param-name>
        <param-value>SAMEORIGIN</param-value>
    </init-param>
</filter>
<filter-mapping> 
    <filter-name>httpHeaderSecurity</filter-name> 
    <url-pattern>/*</url-pattern>
</filter-mapping>

我在 pom.xml 中添加了以下依赖项:

<dependency>
    <groupId>org.apache.tomcat</groupId>
    <artifactId>tomcat-catalina</artifactId>
    <version>9.0.2</version>
</dependency>

我正在 payara 服务器上运行该项目。

项目运行但抛出以下错误:

引起:java.lang.ClassNotFoundException: org.glassfish.main.web.core [69] 在 org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java: 1532) 在 org.apache.felix.framework.BundleWiringImpl.access$400(BundleWiringImpl.java:75) 在 org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:1955) 在 java.lang.ClassLoader。 loadClass(ClassLoader.java:357) at org.apache.catalina.core.ApplicationFilterConfig.loadFilterClass(ApplicationFilterConfig.java:283) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:253) at org.apache .catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:123) ... 50 更多

这意味着我防止点击劫持攻击的解决方案将不起作用:)

任何帮助将不胜感激 :)。

4

1 回答 1

0

我已经使用 web.xml 通过以下方式解决了这个问题:

首先创建了以下过滤器:

public class ClickjackingPreventionFilter implements Filter
{
    private String mode = "DENY";

// Add X-FRAME-OPTIONS response header to tell any other browsers who   not to display this //content in a frame.
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse res = (HttpServletResponse)response;
        res.addHeader("X-FRAME-OPTIONS", mode );
        chain.doFilter(request, response);
    }
    @Override
    public void destroy() {
    }

    @Override
    public void init(FilterConfig filterConfig) {
        String configMode = filterConfig.getInitParameter("mode");
        if ( configMode != null ) {
            mode = configMode;
        }
    }
}

然后将其配置到 web.xml 中,如下所示:

<filter>
    <filter-name>ClickjackPreventionFilterDeny</filter-name>
    <filter-class>com.groupbuilder.preventclickjacking.ClickjackingPreventionFilter</filter-class>
    <init-param>
        <param-name>mode</param-name><param-value>DENY</param-value></init-param>
</filter>
<filter-mapping>
        <filter-name>ClickjackPreventionFilterDeny</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
于 2017-12-12T09:43:42.067 回答