Here is my situation:
I have a web application in Eclipse. At the moment it is an AspectJ web application.
I have an aspect in my “src” folder called JSPCSRFTokenInjection.aj that has pointcuts to capture the JspWriter.write method and some other stuff. It looks like so:
package com.aspects;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.jsp.JspWriter;
import org.apache.log4j.Logger;
import com.thesis.aop.util.StopWatch;
public aspect JSPCSRFTokenInjection{
Logger logger;
StopWatch watch;
private String currentCSRFToken = null;
//Constuctor for the Aspect. I do some init of loggers and
//such here.
public JSPCSRFTokenInjection(){
//PropertyConfigurator.configure("log4j.properties");
logger = Logger.getLogger("csrfMitigationLogger");
logger.info("CSRF Injection Aspect Created");
watch = new StopWatch();
}
//Capturing the CSRF Token from the request by intercepting the
//_jspService method inside of the JSP
public pointcut csrf_jspServiceIntercept(HttpServletRequest req,
HttpServletResponse resp) :
call(public void _jspService(HttpServletRequest, HttpServletResponse))
&& args(req, resp);
before(HttpServletRequest req, HttpServletResponse resp) :
csrf_jspServiceIntercept(req, resp){
currentCSRFToken = (String) req.getParameter("csrfSalt");
logger.info("Got CSRF Token from request: " + currentCSRFToken);
}
//Pointcut and advice for capturing the writing into a JSP.
public pointcut csrf_captureFormWriting(String msg, JspWriter writer) :
call(public void JspWriter.write(String))
&& args(msg)
&& target(writer)
&& if(msg.toLowerCase().contains("</form>"));
before(String msg, JspWriter writer) : csrf_captureFormWriting(msg, writer){
try{
logger.info("WRITING TO JSP");
writer.write("TEST_CSRF");
writer.write("<input type='hidden' name='csrfSalt' value='" + currentCSRFToken + "'/>");
}
catch(Exception e){
e.printStackTrace();
}
}
}
I also have an aop.xml file in the WebApp/WebContent/META-INF/ directory.
For reference my web.xml file is in WebApp/WebContent/WEB-INF/ directory .
The aop.xml looks like so:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE aspectj PUBLIC "-//AspectJ//DTD//EN" "http://www.eclipse.org/aspectj /dtd/aspectj.dtd">
<aspectj>
<weaver options="-showWeaveInfo -verbose -debug -Xset:weaveJavaPackages=true">
<!-- Weave types that are within the javax.* or org.aspectj.*
packages. Also weave all types in the foo package that do
not have the @NoWeave annotation. -->
<include within="javax.*"/>
<include within="com.*"/>
<include within="org.*"/>
<include within="org.aspectj.*"/>
</weaver>
<aspects>
<!-- declare two existing aspects to the weaver -->
<aspect name="com.aspects.JSPCSRFTokenInjection"/>
<aspect name="com.aspects.MitigateCSRFAspect"/>
<!-- Of the set of aspects declared to the weaver
use aspects matching the type pattern "com..*" for weaving. -->
<include within="com.*"/>
<include within="org.*"/>
<!-- Of the set of aspects declared to the weaver
do not use any aspects with the @CoolAspect annotation for weaving -->
</aspects>
</aspectj>
I am also adding the -javaagent:C:/aspectj1.6/lib/aspectjweaver.jar to my JVM parameters in Tomcat.
If it helps, I am using the SysDeo plugin for tomcat. Also, compile time weaving is working fine on other parts of the application, however, I am unable to weave in any of my aspects affecting JSP’s.
I figured out the problem. I was putting my aop.xml file in the wrong directory. Very stupid on my part.
It is supposed to go in the
directory. However, I was putting it directly under WEB-INF.