Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-1574: CSRF Protection #1815

Closed
spring-issuemaster opened this issue Sep 14, 2010 · 4 comments

Comments

Projects
None yet
2 participants
@spring-issuemaster
Copy link

commented Sep 14, 2010

Rob Winch (Migrated from SEC-1574) said:

I'd like to propose providing support for CSRF protection through the channel security API's. In this case the channel is to ensure the request comes from the site. A high level summary would be to create a CsrfTokenManager which can generate new tokens and validate a request. There would be a CsrfChannelProcessor that delegates to the CsrfTokenManager to validate requests that should be protected. If the request was not valid, the CsrfChannelProcessor would delegate to a ChannelEntryPoint. Lastly there would be jsp tag support for placing the CSRF token on the request. The tag would delegate to the CsrfTokenManager to obtain the token and store the token to a variable or write it out as a hidden input.

Luke what are your thoughts on this? I would be glad to implement this functionality, but wanted to make sure that you agree it is something we could/should add. One option is I could place it in a branch so you could evaluate it.

@spring-issuemaster

This comment has been minimized.

Copy link
Author

commented Mar 4, 2011

Donnchadh O Donnabhain said:

See also SPR-6125 .

@spring-issuemaster

This comment has been minimized.

Copy link
Author

commented Mar 4, 2011

Rob Winch said:

A few other related issues SPR-7943 SEC-1509

@spring-issuemaster

This comment has been minimized.

Copy link
Author

commented Dec 14, 2012

Marten Deinum said:

Wouldn't it be easier implemented with a Filter which does some delegation for validation and retrieving/storing the token? When validation fails an AccessDeniedException could be thrown which could be handled by the ExceptionTranslationFilter.

For retrieval a CsfrTokenRepository could be created I see 2 out-of-the-box implementation one session-based and one cookie-based (modelled after the remember-me stuff).

For writing out the hidden integration for Spring MVC could be given by implementing a RequestDataValueProcessor which adds a hidden field to the form.

@spring-issuemaster

This comment has been minimized.

Copy link
Author

commented Dec 14, 2012

Rob Winch said:

Thanks for the feedback Marten. The design I have in mind has certainly changed a bit over the years since I first logged this (in Sept '10). In fact it is fairly close to what you have proposed. Feel free to keep an eye on the JIRA and provide any feedback once I have pushed out the changes for this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.