From bf8f3443f7e4dee48a2373769d3c2fa41c36113a Mon Sep 17 00:00:00 2001 From: Rinjae Date: Wed, 26 Nov 2025 11:00:46 +0900 Subject: [PATCH] =?UTF-8?q?csrf=20filter=20=EB=B6=80=EB=B6=84=20proxy=20?= =?UTF-8?q?=EB=8C=80=EC=9D=91?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- readme.md | 3 + .../common/filter/CrossScriptingFilter.java | 114 +++++++++++------- .../logging/EntityServiceLoggingAspect.java | 8 +- 3 files changed, 75 insertions(+), 50 deletions(-) diff --git a/readme.md b/readme.md index 33c7371..4ae8ccb 100644 --- a/readme.md +++ b/readme.md @@ -446,6 +446,9 @@ WebContent/ -Dlogback.configurationFile=classpath:logback-dev.xml -Dhibernate.dialect=org.hibernate.dialect.Oracle12cDialect -Dkjb_safedb.mode=fake + + +-Dlogback.configurationFile="C:\eactive\workspaces\kjb-eapim\eapim-admin\src\main\resources\logback-rinjae.xml" ``` ### 데이터베이스 지원 diff --git a/src/main/java/com/eactive/eai/rms/common/filter/CrossScriptingFilter.java b/src/main/java/com/eactive/eai/rms/common/filter/CrossScriptingFilter.java index c01f2cb..498cc45 100644 --- a/src/main/java/com/eactive/eai/rms/common/filter/CrossScriptingFilter.java +++ b/src/main/java/com/eactive/eai/rms/common/filter/CrossScriptingFilter.java @@ -12,55 +12,77 @@ import javax.servlet.http.HttpServletResponse; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; - - + public class CrossScriptingFilter implements Filter { - + private static final Log logger = LogFactory.getLog(CrossScriptingFilter.class); - - public void init(FilterConfig filterConfig) throws ServletException { - - } - - public void destroy() { - - } - - private String getBaseUrl(HttpServletRequest request) { - String uri = request.getRequestURL().toString(); - String servletPath = request.getServletPath(); - String baseUrl = uri.replace(servletPath, ""); - return baseUrl; - } - - private boolean checkReturnUrl(HttpServletRequest request, String returnUrl) { - String uri = request.getRequestURL().toString(); - String servletPath = request.getServletPath(); - String baseUrl = uri.replace(servletPath, ""); + + public void init(FilterConfig filterConfig) throws ServletException { + + } + + public void destroy() { + + } + + /** + * 프록시 환경을 고려하여 baseUrl을 구합니다. + * X-Forwarded-Proto, X-Forwarded-Host 헤더가 있으면 우선 사용합니다. + */ + private String getBaseUrl(HttpServletRequest request) { + String forwardedProto = request.getHeader("X-Forwarded-Proto"); + String forwardedHost = request.getHeader("X-Forwarded-Host"); + + if (forwardedProto != null && forwardedHost != null) { + // 프록시 환경: X-Forwarded 헤더 사용 + String baseUrl = forwardedProto + "://" + forwardedHost; + // :443 포트 제거 (https 기본 포트) + baseUrl = baseUrl.replace(":443", ""); + return baseUrl; + } + + // 직접 접속: 기존 로직 + String uri = request.getRequestURL().toString(); + String servletPath = request.getServletPath(); + String baseUrl = uri.replace(servletPath, ""); + return baseUrl; + } + + private boolean checkReturnUrl(HttpServletRequest request, String returnUrl) { + String baseUrl = getBaseUrl(request); // 25.11.10 - weblogic https://host:443/ 문제 대응 baseUrl = baseUrl.replace(":443", ""); - return returnUrl.startsWith(baseUrl); - } - - public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) - throws IOException, ServletException { - HttpServletRequest request = (HttpServletRequest) req; + + if (logger.isDebugEnabled()) { + logger.debug("checkReturnUrl - baseUrl: " + baseUrl + ", returnUrl: " + returnUrl); + } + + return returnUrl.startsWith(baseUrl); + } + + public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) + throws IOException, ServletException { + HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; - - String returnUrl = (String)request.getParameter("returnUrl"); - if(returnUrl != null) { - if(!checkReturnUrl(request, returnUrl)) { - response.sendError(HttpServletResponse.SC_BAD_REQUEST, "bad request. - "+returnUrl); - return; - } - } - - // Web Cache Deception - response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate"); - response.setHeader("Pragma", "no-cache"); - response.setDateHeader("Expires", 0); - - chain.doFilter(new RequestWrapper(request), response); + + String returnUrl = (String) request.getParameter("returnUrl"); + if (returnUrl != null) { + if (!checkReturnUrl(request, returnUrl)) { + logger.warn("returnUrl validation failed - baseUrl: " + getBaseUrl(request) + + ", returnUrl: " + returnUrl + + ", X-Forwarded-Proto: " + request.getHeader("X-Forwarded-Proto") + + ", X-Forwarded-Host: " + request.getHeader("X-Forwarded-Host")); + response.sendError(HttpServletResponse.SC_BAD_REQUEST, "bad request. - " + returnUrl); + return; + } + } + + // Web Cache Deception + response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate"); + response.setHeader("Pragma", "no-cache"); + response.setDateHeader("Expires", 0); + + chain.doFilter(new RequestWrapper(request), response); // // if(servletPath.startsWith("/onl/admin/common")) { // System.out.println("RequestWrapper called"); @@ -69,6 +91,6 @@ public class CrossScriptingFilter implements Filter { // else { // chain.doFilter(request, response); // } - } - + } + } diff --git a/src/main/java/com/eactive/eai/rms/common/logging/EntityServiceLoggingAspect.java b/src/main/java/com/eactive/eai/rms/common/logging/EntityServiceLoggingAspect.java index ab5403a..3ee4483 100644 --- a/src/main/java/com/eactive/eai/rms/common/logging/EntityServiceLoggingAspect.java +++ b/src/main/java/com/eactive/eai/rms/common/logging/EntityServiceLoggingAspect.java @@ -19,10 +19,10 @@ public class EntityServiceLoggingAspect { @Before("executionEntityServicePointcut()") public void entityService(JoinPoint joinPoint) { - Logger logger = LoggerFactory.getLogger(joinPoint.getSignature().getDeclaringType()); - if (logger.isDebugEnabled()) { - logger.debug("{}", joinPoint.getSignature().toShortString()); - } +// Logger logger = LoggerFactory.getLogger(joinPoint.getSignature().getDeclaringType()); +// if (logger.isDebugEnabled()) { +// logger.debug("{}", joinPoint.getSignature().toShortString()); +// } } }