csrf filter 부분 proxy 대응
This commit is contained in:
@@ -446,6 +446,9 @@ WebContent/
|
||||
-Dlogback.configurationFile=classpath:logback-dev.xml
|
||||
-Dhibernate.dialect=org.hibernate.dialect.Oracle12cDialect
|
||||
-Dkjb_safedb.mode=fake
|
||||
|
||||
|
||||
-Dlogback.configurationFile="C:\eactive\workspaces\kjb-eapim\eapim-admin\src\main\resources\logback-rinjae.xml"
|
||||
```
|
||||
|
||||
### 데이터베이스 지원
|
||||
|
||||
@@ -12,55 +12,77 @@ import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
|
||||
|
||||
public class CrossScriptingFilter implements Filter {
|
||||
|
||||
|
||||
private static final Log logger = LogFactory.getLog(CrossScriptingFilter.class);
|
||||
|
||||
public void init(FilterConfig filterConfig) throws ServletException {
|
||||
|
||||
}
|
||||
|
||||
public void destroy() {
|
||||
|
||||
}
|
||||
|
||||
private String getBaseUrl(HttpServletRequest request) {
|
||||
String uri = request.getRequestURL().toString();
|
||||
String servletPath = request.getServletPath();
|
||||
String baseUrl = uri.replace(servletPath, "");
|
||||
return baseUrl;
|
||||
}
|
||||
|
||||
private boolean checkReturnUrl(HttpServletRequest request, String returnUrl) {
|
||||
String uri = request.getRequestURL().toString();
|
||||
String servletPath = request.getServletPath();
|
||||
String baseUrl = uri.replace(servletPath, "");
|
||||
|
||||
public void init(FilterConfig filterConfig) throws ServletException {
|
||||
|
||||
}
|
||||
|
||||
public void destroy() {
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* 프록시 환경을 고려하여 baseUrl을 구합니다.
|
||||
* X-Forwarded-Proto, X-Forwarded-Host 헤더가 있으면 우선 사용합니다.
|
||||
*/
|
||||
private String getBaseUrl(HttpServletRequest request) {
|
||||
String forwardedProto = request.getHeader("X-Forwarded-Proto");
|
||||
String forwardedHost = request.getHeader("X-Forwarded-Host");
|
||||
|
||||
if (forwardedProto != null && forwardedHost != null) {
|
||||
// 프록시 환경: X-Forwarded 헤더 사용
|
||||
String baseUrl = forwardedProto + "://" + forwardedHost;
|
||||
// :443 포트 제거 (https 기본 포트)
|
||||
baseUrl = baseUrl.replace(":443", "");
|
||||
return baseUrl;
|
||||
}
|
||||
|
||||
// 직접 접속: 기존 로직
|
||||
String uri = request.getRequestURL().toString();
|
||||
String servletPath = request.getServletPath();
|
||||
String baseUrl = uri.replace(servletPath, "");
|
||||
return baseUrl;
|
||||
}
|
||||
|
||||
private boolean checkReturnUrl(HttpServletRequest request, String returnUrl) {
|
||||
String baseUrl = getBaseUrl(request);
|
||||
// 25.11.10 - weblogic https://host:443/ 문제 대응
|
||||
baseUrl = baseUrl.replace(":443", "");
|
||||
return returnUrl.startsWith(baseUrl);
|
||||
}
|
||||
|
||||
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
|
||||
throws IOException, ServletException {
|
||||
HttpServletRequest request = (HttpServletRequest) req;
|
||||
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("checkReturnUrl - baseUrl: " + baseUrl + ", returnUrl: " + returnUrl);
|
||||
}
|
||||
|
||||
return returnUrl.startsWith(baseUrl);
|
||||
}
|
||||
|
||||
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
|
||||
throws IOException, ServletException {
|
||||
HttpServletRequest request = (HttpServletRequest) req;
|
||||
HttpServletResponse response = (HttpServletResponse) res;
|
||||
|
||||
String returnUrl = (String)request.getParameter("returnUrl");
|
||||
if(returnUrl != null) {
|
||||
if(!checkReturnUrl(request, returnUrl)) {
|
||||
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "bad request. - "+returnUrl);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
// Web Cache Deception
|
||||
response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");
|
||||
response.setHeader("Pragma", "no-cache");
|
||||
response.setDateHeader("Expires", 0);
|
||||
|
||||
chain.doFilter(new RequestWrapper(request), response);
|
||||
|
||||
String returnUrl = (String) request.getParameter("returnUrl");
|
||||
if (returnUrl != null) {
|
||||
if (!checkReturnUrl(request, returnUrl)) {
|
||||
logger.warn("returnUrl validation failed - baseUrl: " + getBaseUrl(request)
|
||||
+ ", returnUrl: " + returnUrl
|
||||
+ ", X-Forwarded-Proto: " + request.getHeader("X-Forwarded-Proto")
|
||||
+ ", X-Forwarded-Host: " + request.getHeader("X-Forwarded-Host"));
|
||||
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "bad request. - " + returnUrl);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
// Web Cache Deception
|
||||
response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");
|
||||
response.setHeader("Pragma", "no-cache");
|
||||
response.setDateHeader("Expires", 0);
|
||||
|
||||
chain.doFilter(new RequestWrapper(request), response);
|
||||
//
|
||||
// if(servletPath.startsWith("/onl/admin/common")) {
|
||||
// System.out.println("RequestWrapper called");
|
||||
@@ -69,6 +91,6 @@ public class CrossScriptingFilter implements Filter {
|
||||
// else {
|
||||
// chain.doFilter(request, response);
|
||||
// }
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -19,10 +19,10 @@ public class EntityServiceLoggingAspect {
|
||||
|
||||
@Before("executionEntityServicePointcut()")
|
||||
public void entityService(JoinPoint joinPoint) {
|
||||
Logger logger = LoggerFactory.getLogger(joinPoint.getSignature().getDeclaringType());
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("{}", joinPoint.getSignature().toShortString());
|
||||
}
|
||||
// Logger logger = LoggerFactory.getLogger(joinPoint.getSignature().getDeclaringType());
|
||||
// if (logger.isDebugEnabled()) {
|
||||
// logger.debug("{}", joinPoint.getSignature().toShortString());
|
||||
// }
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user