|
前台jsp文件
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%@page import="com.kingdee.sec.esapi.csrf.action.CSRFToken" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<%
HttpSession s = request.getSession();
s.setAttribute("csrfToken",CSRFToken.generateToken());
%>
<%
//do some simlate transfer money
String cash = request.getParameter("cash");
String to = request.getParameter("to");
%>
<form action = "../CSRFToken" method="post">
<input type="hidden" name="csrftoken" value="<%=s.getAttribute("csrfToken")%>"/>
Transfer cash:<input type="text" name="cash"/><br/>
To:<input type="text" name="to"/><br/>
money<input type="text" size="20" id="money" name ="money" length=40/></br>
<button type="submit" text="转账" name="转账">转账</button>
</form>
</body>
</html>
后台servlet文件
package com.kingdee.sec.esapi.csrf.action;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.reference.DefaultEncoder;
/**
* Servlet implementation class CSRFToken
*/
@WebServlet("/CSRFToken")
public class CSRFToken extends HttpServlet {
private static final long serialVersionUID = 1L;
/**
* @see HttpServlet#HttpServlet()
*/
public CSRFToken() {
super();
// TODO Auto-generated constructor stub
}
/**
* @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
*/
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// TODO Auto-generated method stub
// TODO Auto-generated method stub
// place your code here
/* 验证refer */
// 从 HTTP 头中取得 Referer 值
String referer = ((HttpServletRequest) request).getHeader("Referer");// request中没有getHeader方法。
// 判断 Referer 是否以kdweibo.com 开头
if ((referer != null)&& (referer.trim().startsWith("http://localhost:8080"))) {
/* 判断token */
//如果处理HTTP请求,并且需要访问诸如getHeader或getCookies等在ServletRequest中无法得到的方法,就要把此request对象构造成HttpServletRequest
HttpServletRequest req = (HttpServletRequest)request;
// 从 session 中得到 csrfToken 属性
HttpSession session = req.getSession();
// 从 session 中得到 csrftoken 属性
HttpSession s = request.getSession();
String sToken = s.getAttribute("csrfToken").toString();
System.out.print(sToken);
if (sToken == null) {
// 产生新的 token 放入 session 中
sToken = generateToken();
} else {
request.getRequestDispatcher("error/error.jsp").forward(
request, response);
}
} else {
request.getRequestDispatcher("error/error.jsp").forward(request,
response);
return;
}
}
// 生成token的代码
public static String generateToken() {
// TODO Auto-generated method stub
String csrfToken = ESAPI.randomizer().getRandomString(8,
DefaultEncoder.CHAR_ALPHANUMERICS);
return csrfToken;
}
/**
* @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
*/
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// TODO Auto-generated method stub
doGet(request, response);
}
}
为什么在servlet里面取不到在jsp里面的设置session的csrftoken属性值呢? |
|
 |
没有人帮忙解答下吗?
|
 39分 |
个人觉得session不是在servlet里面要set一下 然后在 jsp端get吗 你只有取 有没有setattribute
|
|
应该可以捕获到的….你查看是否session是空的值…
|
CodeBye 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权 , 转载请注明session的问题!
