【问题标题】:NPE in CSRFGuardCSRFGuard 中的 NPE
【发布时间】:2019-10-24 20:22:50
【问题描述】:

我想保护我的应用免受 csrf 的影响,所以我添加 owasp.csrf.jar 并按照here 的描述配置我的应用然后我将隐藏字段添加到带有 csrf 令牌标签的表单之一,如下所示:

<input type="hidden" name="<csrf:token-name/>" value="<csrf:token-value/>" />

但是当我的页面呈现时,我在 TokenNameTag.java

中得到 NPE

我错过了什么?

更新

堆栈跟踪:

2013-04-15 10:46:49,985 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/myapp].[jsp]]  Servlet.service() for servlet jsp threw exception
java.lang.NullPointerException
    at org.owasp.csrfguard.tag.TokenNameTag.doStartTag(TokenNameTag.java:45)
    at org.apache.jsp.struts.config.configurationMain_jsp._jspx_meth_csrf_005ftoken_002dname_005f0(configurationMain_jsp.java:7405)
    at org.apache.jsp.struts.config.configurationMain_jsp._jspx_meth_html_005fform_005f7(configurationMain_jsp.java:6812)
    at org.apache.jsp.struts.config.configurationMain_jsp._jspx_meth_logic_005fmatch_005f3(configurationMain_jsp.java:6695)
    at org.apache.jsp.struts.config.configurationMain_jsp._jspService(configurationMain_jsp.java:1712)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:387)
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320)
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:687)
    at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:469)
    at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:403)
    at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
    at org.apache.struts.action.RequestProcessor.doForward(RequestProcessor.java:1069)
    at org.apache.struts.action.RequestProcessor.processForwardConfig(RequestProcessor.java:455)
    at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:279)
    at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
    at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:507)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:687)
    at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:469)
    at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:403)
    at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
    at org.apache.struts.action.RequestProcessor.doForward(RequestProcessor.java:1069)
    at org.apache.struts.action.RequestProcessor.processForwardConfig(RequestProcessor.java:455)
    at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:279)
    at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
    at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:507)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
    at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    at java.lang.Thread.run(Thread.java:662)

【问题讨论】:

  • 请发布完整的堆栈跟踪。
  • 我已经更新了我的问题,但不要认为它可以帮助你
  • 它看起来在您正在使用的库中 - 您是否查看了您链接到的 github 存储库中列出的问题?如果他们没有解决你的问题,我会开一个新的。
  • 过滤器中有一个关于NPE的,但是没有一个关于TokenNameTag的
  • 你能找到解决办法吗?请分享修复。

标签: java csrf owasp


【解决方案1】:

我在第 45 行遇到了与 TokenNameTag.java 类似的问题。这是我的堆栈跟踪

Stacktrace:] with root cause                                                                                                                                                                                
java.lang.NullPointerException
at java.io.Writer.write(Writer.java:157)                                                                                                                                                            
at org.owasp.csrfguard.tag.TokenNameTag.doStartTag(TokenNameTag.java:45)                                                                                                                            
at org.apache.jsp.position_005fdetails_jsp._jspx_meth_csrf_005ftokenname_005f0(position_005fdetails_jsp.java:4768) org.apache.jsp.position_005fdetails_jsp._jspService(position_005fdetails_jsp.java:1255) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)                                                                                                                               at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)`

我的问题是我没有将以下内容复制到web.xml 文件中

<listener>
            <listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
       </listener>
       <listener>
            <listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
       </listener>
       <context-param>
             <param-name>Owasp.CsrfGuard.Config</param-name>
             <param-value>Owasp.CsrfGuard.properties</param-value>
       </context-param>


<servlet> 
     <servlet-name>JavaScriptServlet</servlet-name> 
     <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class> 

    </servlet>
    <servlet-mapping>
     <servlet-name>JavaScriptServlet</servlet-name>
     <url-pattern>/JavaScriptServlet</url-pattern>
</servlet-mapping>


<filter>
        <filter-name>CSRFGuard</filter-name>
        <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>CSRFGuard</filter-name> 
        <url-pattern>/*</url-pattern>
    </filter-mapping>

在我这样做之后,它对我有用。

(为了完整起见,我要补充一点,owasp.csrfguard-3.1.0.jar 必须位于 lib 目录中,Owasp.CsrfGuard.properties 必须位于正确的目录中,其中一种可能是应用程序类路径 - 请参阅 @987654321 @)

【讨论】:

    猜你喜欢
    • 2014-04-24
    • 1970-01-01
    • 1970-01-01
    • 2017-04-21
    • 1970-01-01
    • 2015-11-10
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多