Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
SEC-1574: CSRF Protection #1815
I'd like to propose providing support for CSRF protection through the channel security API's. In this case the channel is to ensure the request comes from the site. A high level summary would be to create a CsrfTokenManager which can generate new tokens and validate a request. There would be a CsrfChannelProcessor that delegates to the CsrfTokenManager to validate requests that should be protected. If the request was not valid, the CsrfChannelProcessor would delegate to a ChannelEntryPoint. Lastly there would be jsp tag support for placing the CSRF token on the request. The tag would delegate to the CsrfTokenManager to obtain the token and store the token to a variable or write it out as a hidden input.
Luke what are your thoughts on this? I would be glad to implement this functionality, but wanted to make sure that you agree it is something we could/should add. One option is I could place it in a branch so you could evaluate it.
Marten Deinum said:
Wouldn't it be easier implemented with a Filter which does some delegation for validation and retrieving/storing the token? When validation fails an AccessDeniedException could be thrown which could be handled by the ExceptionTranslationFilter.
For retrieval a CsfrTokenRepository could be created I see 2 out-of-the-box implementation one session-based and one cookie-based (modelled after the remember-me stuff).
For writing out the hidden integration for Spring MVC could be given by implementing a RequestDataValueProcessor which adds a hidden field to the form.
Rob Winch said:
Thanks for the feedback Marten. The design I have in mind has certainly changed a bit over the years since I first logged this (in Sept '10). In fact it is fairly close to what you have proposed. Feel free to keep an eye on the JIRA and provide any feedback once I have pushed out the changes for this.