Permalink
Browse files

Add CSRF protection

  • Loading branch information...
rwinch authored and rstoyanchev committed Jan 6, 2014
1 parent 5bb425e commit 361adc124c05a8187b84f25e8a57550bb7d9f8e4
@@ -10,6 +10,7 @@
<properties>
<java-version>1.7</java-version>
<org.springframework-version>4.0.0.RELEASE</org.springframework-version>
<org.springframework.security-version>3.2.0.RELEASE</org.springframework.security-version>
<org.aspectj-version>1.7.4</org.aspectj-version>
<org.slf4j-version>1.6.1</org.slf4j-version>
</properties>
@@ -151,6 +152,13 @@
<artifactId>commons-io</artifactId>
<version>2.0.1</version>
</dependency>
<!-- Security (used for CSRF protection only) -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${org.springframework.security-version}</version>
</dependency>
<!-- Test -->
<dependency>
@@ -4,5 +4,20 @@
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
<!-- Root Context: defines shared resources visible to all other web components -->
<!--
CSRF protection. Here we only include the CsrfFilter instead of all of Spring Security.
See http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#csrf for more information on
Spring Security's CSRF protection
-->
<bean id="csrfFilter" class="org.springframework.security.web.csrf.CsrfFilter">
<constructor-arg>
<bean class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository"/>
</constructor-arg>
</bean>
<!--
Provides automatic CSRF token inclusion when using Spring MVC Form tags or Thymeleaf. See
http://localhost:8080/#forms and form.jsp for examples
-->
<bean id="requestDataValueProcessor" class="org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor"/>
</beans>
@@ -14,7 +14,12 @@
<p>
See the <code>org.springframework.samples.mvc.fileupload</code> package for the @Controller code
</p>
<form id="fileuploadForm" action="fileupload" method="POST" enctype="multipart/form-data" class="cleanform">
<!--
File Uploads must include CSRF in the URL.
See http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#csrf-multipart
-->
<c:url var="actionUrl" value="fileupload?${_csrf.parameterName}=${_csrf.token}"/>
<form id="fileuploadForm" action="${actionUrl}" method="POST" enctype="multipart/form-data" class="cleanform">
<div class="header">
<h2>Form</h2>
<c:if test="${not empty message}">
@@ -5,6 +5,13 @@
<title>spring-mvc-showcase</title>
<link href="<c:url value="/resources/form.css" />" rel="stylesheet" type="text/css" />
<link href="<c:url value="/resources/jqueryui/1.8/themes/base/jquery.ui.all.css" />" rel="stylesheet" type="text/css"/>
<!--
Used for including CSRF token in JSON requests
Also see bottom of this file for adding CSRF token to JQuery AJAX requests
-->
<meta name="_csrf" content="${_csrf.token}"/>
<meta name="_csrf_header" content="${_csrf.headerName}"/>
</head>
<body>
<h1><a href="<c:url value="/" />">spring-mvc-showcase</a></h1>
@@ -627,6 +634,14 @@ $(document).ready(function() {
return false;
});
// Include CSRF token as header in JQuery AJAX requests
// See http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#csrf-include-csrf-token-ajax
var token = $("meta[name='_csrf']").attr("content");
var header = $("meta[name='_csrf_header']").attr("content");
$(document).ajaxSend(function(e, xhr, options) {
xhr.setRequestHeader(header, token);
});
});
</script>
</body>
@@ -13,6 +13,16 @@
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>csrfFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>csrfFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Processes application requests -->
<servlet>

0 comments on commit 361adc1

Please sign in to comment.