Menu
At the moment I am searching for a possibility to include CRSF tokens in Spring MVC and Spring Security forms. What is the easiest solution that covers both (Spring Security + Spring MVC) servlets and allows to render and evaluate CSRF tokens?
I'm surprised that this basic mechanism is not available in the Springs stack. (which I consider basic for every web application framework)
PS: I have looked at HDIV but can't find a solution to use it with Spring Security as well. (e.g. login form gets rendered by Spring MVC and login request gets handled by Spring Security)
852
3.1 Enabling CSRF Token in Spring Securitydisable() in your Spring security config class. With default setup, if you look at the source code of the page, you will see the _csrf parameter being added automatically to the form by Spring security.
To protect MVC applications, Spring adds a CSRF token to each generated view. This token must be submitted to the server on every HTTP request that modifies state (PATCH, POST, PUT and DELETE — not GET). This protects our application against CSRF attacks since an attacker can't get this token from their own page.
Configure CSRF Protection The next step is to configure Spring Security's CSRF protection within your application. Spring Security's CSRF protection is enabled by default, but you may need to customize the configuration. Below are a few common customizations.
What is the real-life reason to disable it? The Spring documentation suggests: Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.
Spring 3.1 introduced a new interface named RequestDataValueProcessor. Using this interface you can easily (and automatically - without any changes to your JSP or controllers!) register CSRF tokens to HTTP forms. You can see a detailed example in here, it also refers to the sample code on github (so you can just take it from there and use it in your application).
86
UPDATE (January 2014): Spring Security 3.2 contains a CSRF-Token implementation.
For Spring Security <= 3.1:
Because CSRF has noting to do with Spring Secruity (Authentication & Authorization) both can be implemented separate from each other.
There are some CRSF implementations that are based on Filters. For example there is one shipped with Tomcat 7, and Tomcat 6.0.something
When I tryed to use them (in summer 2011) I have not the feeling that it works well. So I implemented my own.
EDIT (April 2012): My Implementation works with Spring 3.0, if you are using Spring 3.1, then have a look at Eyal Lupu's answer and his Blog it uses some Spring 3.1 features so the filter handling is more easy.
I have not made it public up to now (no time). But you will. You can download it (this is the first time I use 4shared.com, I hope it works):
The drawback of my implementation is, that you need to add the token explicit to every form that submitts POST, DELETE, PUT.
JSP(x):
xmlns:crsf="http://www.humanfork.de/tags/de/humanfork/security/crsf"
...
<form ...>
<crsf:hiddenCrsfNonce/>
....
</form>
web.xml
<filter>
<filter-name>IdempotentCrsfPreventionFilter</filter-name>
<filter-class>de.humanfork.security.crsf.IdempotentCsrfPreventionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>IdempotentCrsfPreventionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
