由于 CSRF 攻击,Wicket + websocket 页面不刷新
Posted
技术标签:
【中文标题】由于 CSRF 攻击,Wicket + websocket 页面不刷新【英文标题】:Wicket + websocket page not refreshing because CSRF attack 【发布时间】:2022-01-03 07:41:20 【问题描述】:在我的应用程序中,我需要使用 websocket。我遵循this 示例,所以在我的检票口应用程序中我得到了:
@Bean
public FilterRegistrationBean wicketFilter()
final FilterRegistrationBean wicketFilter = new FilterRegistrationBean();
wicketFilter.setDispatcherTypes(DispatcherType.REQUEST, DispatcherType.ERROR, DispatcherType.FORWARD,
DispatcherType.ASYNC);
wicketFilter.setAsyncSupported(true);
wicketFilter.setFilter(new JavaxWebSocketFilter());
wicketFilter.addInitParameter(WicketFilter.APP_FACT_PARAM, SpringWebApplicationFactory.class.getName());
wicketFilter.addInitParameter(WicketFilter.FILTER_MAPPING_PARAM, "/*");
wicketFilter.addUrlPatterns("/*");
return wicketFilter;
@Bean
public WicketServerEndpointConfig wicketServerEndpointConfig()
return new WicketServerEndpointConfig();
并在页面中添加行为:
private void addWebSocketUpdating()
add(new WebSocketBehavior()
private static final long serialVersionUID = 1L;
@Override
protected void onConnect(ConnectedMessage message)
super.onConnect(message);
webSocketService.addClient(message);
@Override
protected void onPush(WebSocketRequestHandler handler, IWebSocketPushMessage message)
super.onPush(handler, message);
if (message instanceof WSMessage)
WSMessage msg = (WSMessage) message;
if (msg.isAdd())
model.getObject().getPickupFindingParticipants().add(msg.getParticipant());
else if (msg.isDelete())
model.getObject().getPickupFindingParticipants().remove(msg.getParticipant());
handler.add(PickupFindPage.this);
);
添加逻辑
public void addParticipant(PickupParticipantDto participant)
if (null != broadcaster)
WSMessage message = new WSMessage(participant);
message.setAdd(true);
broadcaster.broadcastAll(connections.listIterator().next().getApplication(), message);
else
throw new RuntimeException("WebSockets can not send message");
但是当页面应该刷新时,我在日志中收到警告:
2021-11-25 00:23:55.635 [Wicket-WebSocket-HttpRequest-Thread-1] INFO o.a.w.p.h.CsrfPreventionRequestCycleListener Possible CSRF attack, request URL: ws://localhost:7002/wicket/websocket?pageId=5&wicket-ajax-baseurl=pickup%2F19%2Ffind%3F5&wicket-app-name=javaxWebSocketFilter, Origin: null, action: allowed
2021-11-25 00:23:55.635 [Wicket-WebSocket-HttpRequest-Thread-1] INFO o.a.w.p.h.CsrfPreventionRequestCycleListener Possible CSRF attack, request URL: ws://localhost:7002/wicket/websocket?pageId=5&wicket-ajax-baseurl=pickup%2F19%2Ffind%3F5&wicket-app-name=javaxWebSocketFilter, Origin: null, action: allowed
2021-11-25 00:23:55.635 [Wicket-WebSocket-HttpRequest-Thread-0] INFO o.a.w.p.h.CsrfPreventionRequestCycleListener Possible CSRF attack, request URL: ws://localhost:7002/wicket/websocket?pageId=7&wicket-ajax-baseurl=pickup%2F19%2Ffind%3F7&wicket-app-name=javaxWebSocketFilter, Origin: null, action: allowed
2021-11-25 00:23:55.635 [Wicket-WebSocket-HttpRequest-Thread-0] INFO o.a.w.p.h.CsrfPreventionRequestCycleListener Possible CSRF attack, request URL: ws://localhost:7002/wicket/websocket?pageId=7&wicket-ajax-baseurl=pickup%2F19%2Ffind%3F7&wicket-app-name=javaxWebSocketFilter, Origin: null, action: allowed
2021-11-25 00:23:55.635 [Wicket-WebSocket-HttpRequest-Thread-1] WARN o.a.wicket.page.PartialPageUpdate Component '[Page class = org.tomass.dota.rattlebot.web.pages.tournament.pickup.PickupFindPage, id = 5, render count = 1]' not rendered because it was already removed from page
2021-11-25 00:23:55.635 [Wicket-WebSocket-HttpRequest-Thread-0] WARN o.a.wicket.page.PartialPageUpdate Component '[Page class = org.tomass.dota.rattlebot.web.pages.tournament.pickup.PickupFindPage, id = 7, render count = 1]' not rendered because it was already removed from page
并建议我做错了什么?
【问题讨论】:
【参考方案1】:您应该在 YourApplication#init() 中使用 WebSocketAwareCsrfPreventionRequestCycleListener 而不是 CsrfPreventionRequestCycleListener。
见https://github.com/apache/wicket/blob/3a74b2dc9fd51692faf146f68e215670f994b5ae/wicket-native-websocket/wicket-native-websocket-core/src/main/java/org/apache/wicket/protocol/ws/WebSocketAwareCsrfPreventionRequestCycleListener.java#L24-L31
【讨论】:
以上是关于由于 CSRF 攻击,Wicket + websocket 页面不刷新的主要内容,如果未能解决你的问题,请参考以下文章