Menu
I'm involved working in a project using Spring Security 4.x and JSF 2.2 with Facelets. I just noticed that spring security in this version have enabled by default the protection against Cross Site Request Forgery using request tokens, the case is that you have to put the tag <sec:csrfMetaTags> in many pages (if not, spring deny the request), the lib spring-faces is in 2.4.1 which hasn't these tags for Facelets (XHTML).
I tried to find an implementation in order to get working my project using these frameworks but I couldn't find any, do you know any adaptation?
In my case, I adapted just the part I needed (at this point), if there are no public adaptations, I'd be glad to put it into an open source project and try to adapt all the library.
Thanks.
UPDATE
I created a blog post explaining my solution: http://halexv.blogspot.mx/2015/07/spring-security-4x-csrf-protection-for.html
608
Spring Security has its own taglib which provides basic support for accessing security information and applying security constraints in JSPs.
In Spring MVC applications using JSP, we can use the Spring Security tags for applying security constraints as well as for accessing security information. Spring Security Tag library provides basic support for such operations.
Spring Security provides its own tags for jsp pages. These tags are used to access security information and apply security constraints in JSPs. The following tags are used to secure view layer of the application.
You have the spring taglib for the JSF which you can access from this link.
http://docs.spring.io/spring-webflow/docs/current/reference/html/spring-faces.html#spring-faces-security-taglib
I believe you already know this. But your actual question is related to the CRSF which you have to add to all your pages. This in specific can be achieved by adding the token automatically to your forms as below
Create a util class and add a token generator
static String getTokenForSession (HttpSession session) {
String token = null;
synchronized (session) {
token = (String) session.getAttribute(CSRF_TOKEN_FOR_SESSION_ATTR_NAME);
if (null==token) {
token=UUID.randomUUID().toString();
session.setAttribute(CSRF_TOKEN_FOR_SESSION_ATTR_NAME, token);
}
}
return token;
}
implement RequestDataValueProcessor
public class CSRFRequestDataValueProcessor implements RequestDataValueProcessor {
...
@Override
public Map<String,String> getExtraHiddenFields(HttpServletRequest request) {
Map<String,String> hiddenFields = new HashMap<String,String>();
hiddenFields.put(CSRFTokenManager.CSRF_PARAM_NAME, CSRFTokenManager.getTokenForSession(request.getSession()));
return hiddenFields;
}
}
Then define the bean
<bean name="requestDataValueProcessor" class="com...CSRFRequestDataValueProcessor"/>
Creadit Reference - http://blog.eyallupu.com/2012/04/csrf-defense-in-spring-mvc-31.html
58
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
