csrf filter 부분 proxy 대응

This commit is contained in:
Rinjae
2025-11-26 11:00:46 +09:00
parent 1b1d6c9c2e
commit bf8f3443f7
3 changed files with 75 additions and 50 deletions
+3
View File
@@ -446,6 +446,9 @@ WebContent/
-Dlogback.configurationFile=classpath:logback-dev.xml -Dlogback.configurationFile=classpath:logback-dev.xml
-Dhibernate.dialect=org.hibernate.dialect.Oracle12cDialect -Dhibernate.dialect=org.hibernate.dialect.Oracle12cDialect
-Dkjb_safedb.mode=fake -Dkjb_safedb.mode=fake
-Dlogback.configurationFile="C:\eactive\workspaces\kjb-eapim\eapim-admin\src\main\resources\logback-rinjae.xml"
``` ```
### 데이터베이스 지원 ### 데이터베이스 지원
@@ -12,55 +12,77 @@ import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
public class CrossScriptingFilter implements Filter { public class CrossScriptingFilter implements Filter {
private static final Log logger = LogFactory.getLog(CrossScriptingFilter.class); private static final Log logger = LogFactory.getLog(CrossScriptingFilter.class);
public void init(FilterConfig filterConfig) throws ServletException { public void init(FilterConfig filterConfig) throws ServletException {
} }
public void destroy() { public void destroy() {
} }
private String getBaseUrl(HttpServletRequest request) { /**
String uri = request.getRequestURL().toString(); * 프록시 환경을 고려하여 baseUrl을 구합니다.
String servletPath = request.getServletPath(); * X-Forwarded-Proto, X-Forwarded-Host 헤더가 있으면 우선 사용합니다.
String baseUrl = uri.replace(servletPath, ""); */
return baseUrl; private String getBaseUrl(HttpServletRequest request) {
} String forwardedProto = request.getHeader("X-Forwarded-Proto");
String forwardedHost = request.getHeader("X-Forwarded-Host");
private boolean checkReturnUrl(HttpServletRequest request, String returnUrl) {
String uri = request.getRequestURL().toString(); if (forwardedProto != null && forwardedHost != null) {
String servletPath = request.getServletPath(); // 프록시 환경: X-Forwarded 헤더 사용
String baseUrl = uri.replace(servletPath, ""); String baseUrl = forwardedProto + "://" + forwardedHost;
// :443 포트 제거 (https 기본 포트)
baseUrl = baseUrl.replace(":443", "");
return baseUrl;
}
// 직접 접속: 기존 로직
String uri = request.getRequestURL().toString();
String servletPath = request.getServletPath();
String baseUrl = uri.replace(servletPath, "");
return baseUrl;
}
private boolean checkReturnUrl(HttpServletRequest request, String returnUrl) {
String baseUrl = getBaseUrl(request);
// 25.11.10 - weblogic https://host:443/ 문제 대응 // 25.11.10 - weblogic https://host:443/ 문제 대응
baseUrl = baseUrl.replace(":443", ""); baseUrl = baseUrl.replace(":443", "");
return returnUrl.startsWith(baseUrl);
} if (logger.isDebugEnabled()) {
logger.debug("checkReturnUrl - baseUrl: " + baseUrl + ", returnUrl: " + returnUrl);
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) }
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req; return returnUrl.startsWith(baseUrl);
}
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res; HttpServletResponse response = (HttpServletResponse) res;
String returnUrl = (String)request.getParameter("returnUrl"); String returnUrl = (String) request.getParameter("returnUrl");
if(returnUrl != null) { if (returnUrl != null) {
if(!checkReturnUrl(request, returnUrl)) { if (!checkReturnUrl(request, returnUrl)) {
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "bad request. - "+returnUrl); logger.warn("returnUrl validation failed - baseUrl: " + getBaseUrl(request)
return; + ", returnUrl: " + returnUrl
} + ", X-Forwarded-Proto: " + request.getHeader("X-Forwarded-Proto")
} + ", X-Forwarded-Host: " + request.getHeader("X-Forwarded-Host"));
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "bad request. - " + returnUrl);
// Web Cache Deception return;
response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate"); }
response.setHeader("Pragma", "no-cache"); }
response.setDateHeader("Expires", 0);
// Web Cache Deception
chain.doFilter(new RequestWrapper(request), response); response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");
response.setHeader("Pragma", "no-cache");
response.setDateHeader("Expires", 0);
chain.doFilter(new RequestWrapper(request), response);
// //
// if(servletPath.startsWith("/onl/admin/common")) { // if(servletPath.startsWith("/onl/admin/common")) {
// System.out.println("RequestWrapper called"); // System.out.println("RequestWrapper called");
@@ -69,6 +91,6 @@ public class CrossScriptingFilter implements Filter {
// else { // else {
// chain.doFilter(request, response); // chain.doFilter(request, response);
// } // }
} }
} }
@@ -19,10 +19,10 @@ public class EntityServiceLoggingAspect {
@Before("executionEntityServicePointcut()") @Before("executionEntityServicePointcut()")
public void entityService(JoinPoint joinPoint) { public void entityService(JoinPoint joinPoint) {
Logger logger = LoggerFactory.getLogger(joinPoint.getSignature().getDeclaringType()); // Logger logger = LoggerFactory.getLogger(joinPoint.getSignature().getDeclaringType());
if (logger.isDebugEnabled()) { // if (logger.isDebugEnabled()) {
logger.debug("{}", joinPoint.getSignature().toShortString()); // logger.debug("{}", joinPoint.getSignature().toShortString());
} // }
} }
} }