Warning: file_get_contents(/data/phpspider/zhask/data//catemap/4/jsp/3.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
避免在同一会话中打开Java web应用程序时进行点击劫持_Java_Jsp_Owasp_Clickjacking - Fatal编程技术网
Fatal编程技术网
  • java/
  • 避免在同一会话中打开Java web应用程序时进行点击劫持

避免在同一会话中打开Java web应用程序时进行点击劫持

java jsp

避免在同一会话中打开Java web应用程序时进行点击劫持,java,jsp,owasp,clickjacking,Java,Jsp,Owasp,Clickjacking,我正在尝试处理JavaWeb应用程序的点击劫持。 我从他那里得到了一个解决办法 我在web.xml <?xml version="1.0" encoding="UTF-8"?> <web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

我正在尝试处理JavaWeb应用程序的点击劫持。 我从他那里得到了一个解决办法

我在
web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
         xmlns="http://java.sun.com/xml/ns/j2ee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee                                        http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    <display-name>OWASP ClickjackFilter</display-name>
    <filter>
        <filter-name>ClickjackFilterDeny</filter-name>
        <filter-class>org.owasp.filters.ClickjackFilter</filter-class>
        <init-param>
            <param-name>mode</param-name>
            <param-value>DENY</param-value>
        </init-param>
    </filter>

    <filter>
        <filter-name>ClickjackFilterSameOrigin</filter-name>
        <filter-class>org.owasp.filters.ClickjackFilter</filter-class>
        <init-param>
            <param-name>mode</param-name>
            <param-value>SAMEORIGIN</param-value>
        </init-param>
    </filter>

    <!--  use the Deny version to prevent anyone, including yourself, from framing the page -->
    <filter-mapping>
        <filter-name>ClickjackFilterDeny</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>


</web-app>
现在我面临的问题是,只有每次在新会话中打开网页时,此解决方案才有效

如果我尝试在同一会话中设置应用程序的框架,则解决方案将失败。

对于
X-frame-Options
,有三种设置:

  • SAMEORIGIN此设置将允许页面显示在与页面本身位于同一原点的框架中
  • 拒绝此设置将阻止页面在框架或iframe中显示
  • ALLOW-FROM uri此设置将允许页面仅显示在指定的原点上
    • 对于
    mod
    ,您是否尝试过使用
    SAMEORIGIN
    而不是
    DENY

    阅读更多信息

    这方面有什么更新吗? 
    package org.owasp.filters;
import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

public class ClickjackFilter implements Filter
{

    private String mode = "DENY";

    /**
     * Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
     * decide to implement) not to display this content in a frame. For details, please
     * refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx.
     */
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse res = (HttpServletResponse)response;
        res.addHeader("X-FRAME-OPTIONS", mode );
        chain.doFilter(request, response);
    }

    public void destroy() {
    }

    public void init(FilterConfig filterConfig) {
        String configMode = filterConfig.getInitParameter("mode");
        if ( configMode != null ) {
            mode = configMode;
        }
    }

}