Permalink
Browse files

Add CSRF protection

  • Loading branch information...
rwinch authored and rstoyanchev committed Jan 6, 2014
1 parent 5bb425e commit 361adc124c05a8187b84f25e8a57550bb7d9f8e4
View
@@ -10,6 +10,7 @@
<properties>
<java-version>1.7</java-version>
<org.springframework-version>4.0.0.RELEASE</org.springframework-version>
+ <org.springframework.security-version>3.2.0.RELEASE</org.springframework.security-version>
<org.aspectj-version>1.7.4</org.aspectj-version>
<org.slf4j-version>1.6.1</org.slf4j-version>
</properties>
@@ -151,6 +152,13 @@
<artifactId>commons-io</artifactId>
<version>2.0.1</version>
</dependency>
+
+ <!-- Security (used for CSRF protection only) -->
+ <dependency>
+ <groupId>org.springframework.security</groupId>
+ <artifactId>spring-security-web</artifactId>
+ <version>${org.springframework.security-version}</version>
+ </dependency>
<!-- Test -->
<dependency>
@@ -4,5 +4,20 @@
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
<!-- Root Context: defines shared resources visible to all other web components -->
-
+
+ <!--
+ CSRF protection. Here we only include the CsrfFilter instead of all of Spring Security.
+ See http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#csrf for more information on
+ Spring Security's CSRF protection
+ -->
+ <bean id="csrfFilter" class="org.springframework.security.web.csrf.CsrfFilter">
+ <constructor-arg>
+ <bean class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository"/>
+ </constructor-arg>
+ </bean>
+ <!--
+ Provides automatic CSRF token inclusion when using Spring MVC Form tags or Thymeleaf. See
+ http://localhost:8080/#forms and form.jsp for examples
+ -->
+ <bean id="requestDataValueProcessor" class="org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor"/>
</beans>
@@ -14,7 +14,12 @@
<p>
See the <code>org.springframework.samples.mvc.fileupload</code> package for the @Controller code
</p>
- <form id="fileuploadForm" action="fileupload" method="POST" enctype="multipart/form-data" class="cleanform">
+ <!--
+ File Uploads must include CSRF in the URL.
+ See http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#csrf-multipart
+ -->
+ <c:url var="actionUrl" value="fileupload?${_csrf.parameterName}=${_csrf.token}"/>
+ <form id="fileuploadForm" action="${actionUrl}" method="POST" enctype="multipart/form-data" class="cleanform">
<div class="header">
<h2>Form</h2>
<c:if test="${not empty message}">
@@ -5,6 +5,13 @@
<title>spring-mvc-showcase</title>
<link href="<c:url value="/resources/form.css" />" rel="stylesheet" type="text/css" />
<link href="<c:url value="/resources/jqueryui/1.8/themes/base/jquery.ui.all.css" />" rel="stylesheet" type="text/css"/>
+
+ <!--
+ Used for including CSRF token in JSON requests
+ Also see bottom of this file for adding CSRF token to JQuery AJAX requests
+ -->
+ <meta name="_csrf" content="${_csrf.token}"/>
+ <meta name="_csrf_header" content="${_csrf.headerName}"/>
</head>
<body>
<h1><a href="<c:url value="/" />">spring-mvc-showcase</a></h1>
@@ -627,6 +634,14 @@ $(document).ready(function() {
return false;
});
+ // Include CSRF token as header in JQuery AJAX requests
+ // See http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#csrf-include-csrf-token-ajax
+ var token = $("meta[name='_csrf']").attr("content");
+ var header = $("meta[name='_csrf_header']").attr("content");
+ $(document).ajaxSend(function(e, xhr, options) {
+ xhr.setRequestHeader(header, token);
+ });
+
});
</script>
</body>
@@ -13,6 +13,16 @@
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
+
+ <filter>
+ <filter-name>csrfFilter</filter-name>
+ <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+ <async-supported>true</async-supported>
+ </filter>
+ <filter-mapping>
+ <filter-name>csrfFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
<!-- Processes application requests -->
<servlet>

0 comments on commit 361adc1

Please sign in to comment.