How to implement CSR forgery prevention code on Struts2?

Question

I added an interceptor to my struts.xml and to all of the forms to prevent Cross-site Request Forgery attacks. I am wondering if I should do anything else? Such as retrieving the token and matching with the one submitting along with forms, in case it won't be done automatically.

  <interceptors>
            <interceptor-stack name="defaultSecurityStack">
                <interceptor-ref name="defaultStack"/>
                <interceptor-ref  name="tokenSession">
                       <param name="excludeMethods">*</param>    
                </interceptor-ref>                    
            </interceptor-stack>
  </interceptors>

 <default-interceptor-ref name="defaultSecurityStack"/>

All forms has

  <s:form ...>
      <s:token/>
      ...
  </s:form>

Answer 1

Firstly, I think you should put the token interceptor as the first interceptor on your stack. That way, when the token does not match your code is not executed.

Secondly, <param name="excludeMethods">*</param> means you are not using this interceptor ever.

Lastly, the token interceptor automatically checks the token in the form parameters with the token in the session. If it does not match it returns a result invalid.token by which you can alter the flow like follows

<result name="invalid.token" type="redirectAction">
    <param name="actionName">wrongToken.jsp</param>
</result>

Following urls are interesting reading:

• http://struts.apache.org/release/2.3.x/docs/token-interceptor.html
• http://struts.apache.org/release/2.3.x/struts2-core/apidocs/org/apache/struts2/interceptor/TokenInterceptor.html
• http://struts.apache.org/release/2.3.x/struts2-core/apidocs/org/apache/struts2/interceptor/TokenSessionStoreInterceptor.html