Tapestry CSRF Protection
Java CSS


Tapestry CSRF Protection

Build Status

Cross-Site-Request-Forgery (CSRF) protection for Apache Tapestry 5.

This project is based on the GSoC 2011 project hosted on Google Code: https://code.google.com/p/gsoc2011-csrf-protection/


This software is licensed under the Apache Software License, Version 2.0, http://www.apache.org/licenses/LICENSE-2.0.txt


  • Protects all component event handler (like event links, forms, etc.) against CSRF
  • Adds CSRF token to all event links and adds hidden field with CSRF token to all form POSTs
  • Tokens are generated on a per-session basis


Just add this module as a Maven (or Gradle or Ivy) dependency:


If you have pages that should not be checked for CSRF token, then add the annotation @NotCsrfProtected.

public class MyInsecurePage 
    private EventLink save;

    void save() 
        // this event handler is not protected