Firefox GWT:XSRF:零星缺失X-GWT-Permutation标头
当Firefox GWT:XSRF:零星缺失X-GWT-Permutation标头,firefox,gwt,gwt-rpc,securityexception,Firefox,Gwt,Gwt Rpc,Securityexception,当RemoteServiceServlet时,我的应用程序偶尔会收到GWT引发的XSRF攻击错误。checkPermutationStrongName()未能在HttpServletRequest中找到X-GWT-Permutation HTTP头。发生错误时,日志文件中将显示以下行: WARNING: doUnexpectedFailure was invoked. java.lang.SecurityException: Blocked request without GWT permuta
RemoteServiceServlet时,我的应用程序偶尔会收到GWT引发的XSRF攻击错误。checkPermutationStrongName()
未能在HttpServletRequest
中找到X-GWT-Permutation HTTP头。发生错误时,日志文件中将显示以下行:
WARNING: doUnexpectedFailure was invoked.
java.lang.SecurityException: Blocked request without GWT permutation header (XSRF attack?)
Firefox3.x和4.0在托管模式和Web模式下都遇到过这个问题
我已经运行了Live标头,但确实缺少HTTP标头
应用程序是香草GWT RPC
有什么想法吗
失败标头
http://127.0.0.1:8888/org.drools.guvnor.Guvnor/guvnorService
POST /org.drools.guvnor.Guvnor/guvnorService HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.10 (maverick) Firefox/3.6.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Length: 154
Content-Type: text/x-gwt-rpc; charset=utf-8
Referer: http://127.0.0.1:8888/org.drools.guvnor.Guvnor/Guvnor.html?gwt.codesv...
Cookie: standalone_usage=true
Pragma: no-cache
Cache-Control: no-cache
7|0|4|http://127.0.0.1:8888/org.drools.guvnor.Guvnor/|
6808FDC8A4FA3491026441B59E4DB72A|
org.drools.guvnor.client.rpc.RepositoryService|subscribe|1|2|3|4|0|
HTTP/1.1 400 Bad Request
Content-Type: text/plain;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Wed, 23 Mar 2011 20:11:04 GMT
Server: Apache-Coyote/1.1
Connection: close
成功标题
http://127.0.0.1:8888/org.drools.guvnor.Guvnor/guvnorService
POST /org.drools.guvnor.Guvnor/guvnorService HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.10 (maverick) Firefox/3.6.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
X-GWT-Permutation: HostedMode
X-GWT-Module-Base: http://127.0.0.1:8888/org.drools.guvnor.Guvnor/
Content-Type: text/x-gwt-rpc; charset=utf-8
Referer: http://127.0.0.1:8888/org.drools.guvnor.Guvnor/Guvnor.html?gwt.codesv...
Content-Length: 154
Cookie: standalone_usage=true
Pragma: no-cache
Cache-Control: no-cache
7|0|4|http://127.0.0.1:8888/org.drools.guvnor.Guvnor/|
41FA1D8B82DBBBC875605A4A29670D99|
org.drools.guvnor.client.rpc.RepositoryService|subscribe|1|2|3|4|0|
HTTP/1.1 200 OK
Content-Disposition: attachment
Content-Type: application/json;charset=utf-8
Content-Length: 48
Date: Wed, 23 Mar 2011 20:15:38 GMT
Server: Apache-Coyote/1.1
我的申请也面临同样的问题。看起来Firefox3.x在XmlHttpRequest对象中设置时没有发送额外的请求头 对此的快速修复方法是在服务器端的RPC实现中使用空实现重写方法checkPermutationStrongName()
@Override
protected void checkPermutationStrongName() throws SecurityException {
return;
}
我认为我们需要向FireFox报告这一问题,以获得适当的修复。根据我的经验,FF偶尔会删除任何以“X-”开头的标题。这一错误在3月30日首次出现在我们的日志中,因此我认为它可能与FF 4.0有关(FF4于22.03发布)。几天前,我们还从GWT2.0.4迁移到了2.1.1。这也可能是一个提示。我们的应用程序在生产环境中经过7个月的严格测试。也许这些信息会对某人有所帮助。我正在寻找在浏览器缓存中检测过时gwt应用程序的方法。当应用程序部署到服务器上时,我检查当前构建生成的排列名称,并将其存储到列表中。检查每个RPC请求是否存在其发送的gwt置换。由于这个错误,我的机制被破坏。在firefox帮助论坛上报告了这个问题。链接:谢谢,我也在这里提交了一个bug:这是每个请求都会发生,还是只是一些请求?这是随机的,还是有规律的?