Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Struts2 token interceptor: CSRF protection

Tags:

java

javascript

jsp

csrf-protection

struts2

I am trying to protect my web application from CSRF attacks by using struts token interceptor.

The problem I am facing right now is our JSP pages makes more than one call to server (While JSP is converted to JS a struts token is added to JS.But in this JS there are multiple Ajax request. I hope I am making myself clear.), because of token interceptor only first request to the server is getting validated. Other requests are getting invalidated because struts token is reset after each validation.

Is there a way I stop Struts from resetting the token every time it validates? IS there any other solutions to handle this in struts interceptor.

I am also looking at tomcatcsrfprotection module, I guess I will end up with same problem here also.

managepage.jsp:

<s:token />
<script type="text/javascript">
var strutsToken = "<s:property value="#session['struts.tokens.token']" />";
var requestParams = {mainAction: 'loadGroups','struts.token.name': 'token' , token:strutsToken};

Ext.Ajax.request({
              url: 'manageUserAccount.action',
              params: Ext.urlEncode(requestParams),
              disableCaching: true,
              success: this.actionCallback
              });



//loading widgets

var requestParams = {mainAction: 'loadusers','struts.token.name': 'token' , token:strutsToken};

Ext.Ajax.request({
              url: 'manageUserAccount.action',
              params: Ext.urlEncode(requestParams),
              disableCaching: true,
              success: this.actionCallback
              });

</script>

Struts.xml:

  <action name="manageUserAccountEdit" class="ManageUserAccountEditAction">
     <interceptor-ref name="csrf-protection" /> 
     <result name="success">/pages/manageUserAccount.jsp</result>
 </action>

I have just added minimum code so that understanding it will be easier.

like image 694
Mok Avatar asked May 07 '14 10:05

Mok

1 Answers

You can use the code in my answer for Unable to implement Struts 2 token interceptor with hyperlink to create an action that returns a token. You can use any of the results stream or json or dispatcher to return a token as a Ajax success callback result. You can find an example in jQuery Ajax - issue returning JSON value. Now you can use the token to make your Ajax requests. Each time you need to make a new request you should call a token action to get a new token. Use the token as a parameter to your request and put the token interceptor in front of your actions.

like image 77
Roman C Avatar answered Sep 20 '22 13:09

Roman C
Sign in to Comment

Related questions

What is the order of execution in try,catch and finally [duplicate]
Android SIP registration failed (-9 IN_PROGRESS)
Java: Unable to access jarfile when running as an admin
Why does Gradle only include classes from my library with project dependency
Java: how to use dummy node or mark a node as dummy node
JAXB for lists to be returned naturally for JSON or XML
Any supported sound formats for Java on Windows 7?
Cannot delete GAE file
Is there any way to trigger the Maven Appengine Devserver to auto-refresh static files?
Java equivalent of C's poll()?
How to convert a file to base 64 (like .pdf,.txt) in Android?
Creating a recursive iterator
Junit of equals method
automate deployment to sonatype's oss maven repository
What happens when no thread is free in the thread pool and we submit a task to the pool?
Java Memoization of Recursive method
Use decimalformat in slf4j or logback to pad or ident numbers so they align right
List of ALL Spring Boot application properties
Android GCM: different way of handling push depending on whether the app is visible or not
Name based virtual hosting with Spring Boot

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!