Browse files

Add CSRF protection

  • Loading branch information...
rwinch authored and rstoyanchev committed Jan 6, 2014
1 parent 5bb425e commit 361adc124c05a8187b84f25e8a57550bb7d9f8e4
@@ -10,6 +10,7 @@
@@ -151,6 +152,13 @@
<!-- Security (used for CSRF protection only) -->
<!-- Test -->
@@ -4,5 +4,20 @@
<!-- Root Context: defines shared resources visible to all other web components -->
CSRF protection. Here we only include the CsrfFilter instead of all of Spring Security.
See for more information on
Spring Security's CSRF protection
<bean id="csrfFilter" class="">
<bean class=""/>
Provides automatic CSRF token inclusion when using Spring MVC Form tags or Thymeleaf. See
http://localhost:8080/#forms and form.jsp for examples
<bean id="requestDataValueProcessor" class=""/>
@@ -14,7 +14,12 @@
See the <code>org.springframework.samples.mvc.fileupload</code> package for the @Controller code
<form id="fileuploadForm" action="fileupload" method="POST" enctype="multipart/form-data" class="cleanform">
File Uploads must include CSRF in the URL.
<c:url var="actionUrl" value="fileupload?${_csrf.parameterName}=${_csrf.token}"/>
<form id="fileuploadForm" action="${actionUrl}" method="POST" enctype="multipart/form-data" class="cleanform">
<div class="header">
<c:if test="${not empty message}">
@@ -5,6 +5,13 @@
<link href="<c:url value="/resources/form.css" />" rel="stylesheet" type="text/css" />
<link href="<c:url value="/resources/jqueryui/1.8/themes/base/jquery.ui.all.css" />" rel="stylesheet" type="text/css"/>
Used for including CSRF token in JSON requests
Also see bottom of this file for adding CSRF token to JQuery AJAX requests
<meta name="_csrf" content="${_csrf.token}"/>
<meta name="_csrf_header" content="${_csrf.headerName}"/>
<h1><a href="<c:url value="/" />">spring-mvc-showcase</a></h1>
@@ -627,6 +634,14 @@ $(document).ready(function() {
return false;
// Include CSRF token as header in JQuery AJAX requests
// See
var token = $("meta[name='_csrf']").attr("content");
var header = $("meta[name='_csrf_header']").attr("content");
$(document).ajaxSend(function(e, xhr, options) {
xhr.setRequestHeader(header, token);
@@ -13,6 +13,16 @@
<!-- Processes application requests -->

0 comments on commit 361adc1

Please sign in to comment.