csrf filter 부분 proxy 대응
This commit is contained in:
@@ -446,6 +446,9 @@ WebContent/
|
|||||||
-Dlogback.configurationFile=classpath:logback-dev.xml
|
-Dlogback.configurationFile=classpath:logback-dev.xml
|
||||||
-Dhibernate.dialect=org.hibernate.dialect.Oracle12cDialect
|
-Dhibernate.dialect=org.hibernate.dialect.Oracle12cDialect
|
||||||
-Dkjb_safedb.mode=fake
|
-Dkjb_safedb.mode=fake
|
||||||
|
|
||||||
|
|
||||||
|
-Dlogback.configurationFile="C:\eactive\workspaces\kjb-eapim\eapim-admin\src\main\resources\logback-rinjae.xml"
|
||||||
```
|
```
|
||||||
|
|
||||||
### 데이터베이스 지원
|
### 데이터베이스 지원
|
||||||
|
|||||||
@@ -12,55 +12,77 @@ import javax.servlet.http.HttpServletResponse;
|
|||||||
|
|
||||||
import org.apache.commons.logging.Log;
|
import org.apache.commons.logging.Log;
|
||||||
import org.apache.commons.logging.LogFactory;
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
|
||||||
|
|
||||||
public class CrossScriptingFilter implements Filter {
|
public class CrossScriptingFilter implements Filter {
|
||||||
|
|
||||||
private static final Log logger = LogFactory.getLog(CrossScriptingFilter.class);
|
private static final Log logger = LogFactory.getLog(CrossScriptingFilter.class);
|
||||||
|
|
||||||
public void init(FilterConfig filterConfig) throws ServletException {
|
public void init(FilterConfig filterConfig) throws ServletException {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void destroy() {
|
public void destroy() {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private String getBaseUrl(HttpServletRequest request) {
|
/**
|
||||||
String uri = request.getRequestURL().toString();
|
* 프록시 환경을 고려하여 baseUrl을 구합니다.
|
||||||
String servletPath = request.getServletPath();
|
* X-Forwarded-Proto, X-Forwarded-Host 헤더가 있으면 우선 사용합니다.
|
||||||
String baseUrl = uri.replace(servletPath, "");
|
*/
|
||||||
return baseUrl;
|
private String getBaseUrl(HttpServletRequest request) {
|
||||||
}
|
String forwardedProto = request.getHeader("X-Forwarded-Proto");
|
||||||
|
String forwardedHost = request.getHeader("X-Forwarded-Host");
|
||||||
private boolean checkReturnUrl(HttpServletRequest request, String returnUrl) {
|
|
||||||
String uri = request.getRequestURL().toString();
|
if (forwardedProto != null && forwardedHost != null) {
|
||||||
String servletPath = request.getServletPath();
|
// 프록시 환경: X-Forwarded 헤더 사용
|
||||||
String baseUrl = uri.replace(servletPath, "");
|
String baseUrl = forwardedProto + "://" + forwardedHost;
|
||||||
|
// :443 포트 제거 (https 기본 포트)
|
||||||
|
baseUrl = baseUrl.replace(":443", "");
|
||||||
|
return baseUrl;
|
||||||
|
}
|
||||||
|
|
||||||
|
// 직접 접속: 기존 로직
|
||||||
|
String uri = request.getRequestURL().toString();
|
||||||
|
String servletPath = request.getServletPath();
|
||||||
|
String baseUrl = uri.replace(servletPath, "");
|
||||||
|
return baseUrl;
|
||||||
|
}
|
||||||
|
|
||||||
|
private boolean checkReturnUrl(HttpServletRequest request, String returnUrl) {
|
||||||
|
String baseUrl = getBaseUrl(request);
|
||||||
// 25.11.10 - weblogic https://host:443/ 문제 대응
|
// 25.11.10 - weblogic https://host:443/ 문제 대응
|
||||||
baseUrl = baseUrl.replace(":443", "");
|
baseUrl = baseUrl.replace(":443", "");
|
||||||
return returnUrl.startsWith(baseUrl);
|
|
||||||
}
|
if (logger.isDebugEnabled()) {
|
||||||
|
logger.debug("checkReturnUrl - baseUrl: " + baseUrl + ", returnUrl: " + returnUrl);
|
||||||
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
|
}
|
||||||
throws IOException, ServletException {
|
|
||||||
HttpServletRequest request = (HttpServletRequest) req;
|
return returnUrl.startsWith(baseUrl);
|
||||||
|
}
|
||||||
|
|
||||||
|
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
|
||||||
|
throws IOException, ServletException {
|
||||||
|
HttpServletRequest request = (HttpServletRequest) req;
|
||||||
HttpServletResponse response = (HttpServletResponse) res;
|
HttpServletResponse response = (HttpServletResponse) res;
|
||||||
|
|
||||||
String returnUrl = (String)request.getParameter("returnUrl");
|
String returnUrl = (String) request.getParameter("returnUrl");
|
||||||
if(returnUrl != null) {
|
if (returnUrl != null) {
|
||||||
if(!checkReturnUrl(request, returnUrl)) {
|
if (!checkReturnUrl(request, returnUrl)) {
|
||||||
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "bad request. - "+returnUrl);
|
logger.warn("returnUrl validation failed - baseUrl: " + getBaseUrl(request)
|
||||||
return;
|
+ ", returnUrl: " + returnUrl
|
||||||
}
|
+ ", X-Forwarded-Proto: " + request.getHeader("X-Forwarded-Proto")
|
||||||
}
|
+ ", X-Forwarded-Host: " + request.getHeader("X-Forwarded-Host"));
|
||||||
|
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "bad request. - " + returnUrl);
|
||||||
// Web Cache Deception
|
return;
|
||||||
response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");
|
}
|
||||||
response.setHeader("Pragma", "no-cache");
|
}
|
||||||
response.setDateHeader("Expires", 0);
|
|
||||||
|
// Web Cache Deception
|
||||||
chain.doFilter(new RequestWrapper(request), response);
|
response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");
|
||||||
|
response.setHeader("Pragma", "no-cache");
|
||||||
|
response.setDateHeader("Expires", 0);
|
||||||
|
|
||||||
|
chain.doFilter(new RequestWrapper(request), response);
|
||||||
//
|
//
|
||||||
// if(servletPath.startsWith("/onl/admin/common")) {
|
// if(servletPath.startsWith("/onl/admin/common")) {
|
||||||
// System.out.println("RequestWrapper called");
|
// System.out.println("RequestWrapper called");
|
||||||
@@ -69,6 +91,6 @@ public class CrossScriptingFilter implements Filter {
|
|||||||
// else {
|
// else {
|
||||||
// chain.doFilter(request, response);
|
// chain.doFilter(request, response);
|
||||||
// }
|
// }
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -19,10 +19,10 @@ public class EntityServiceLoggingAspect {
|
|||||||
|
|
||||||
@Before("executionEntityServicePointcut()")
|
@Before("executionEntityServicePointcut()")
|
||||||
public void entityService(JoinPoint joinPoint) {
|
public void entityService(JoinPoint joinPoint) {
|
||||||
Logger logger = LoggerFactory.getLogger(joinPoint.getSignature().getDeclaringType());
|
// Logger logger = LoggerFactory.getLogger(joinPoint.getSignature().getDeclaringType());
|
||||||
if (logger.isDebugEnabled()) {
|
// if (logger.isDebugEnabled()) {
|
||||||
logger.debug("{}", joinPoint.getSignature().toShortString());
|
// logger.debug("{}", joinPoint.getSignature().toShortString());
|
||||||
}
|
// }
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user