Grails - Spring Security plugin: Enabling CSRF filter

3
votes

I know that Spring Security added built-in CSRF protection in version 3.2.0 as stated here: http://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html

I am using Grails 2.4.3 with the spring-security-core plugin version 2.0.0 which seems to use Spring Security version 3.2.3, however, the CSRF protection is either not enabled or not present.

I'm wondering if there's a way to turn it on in the plugin that I am missing. Is there a way to use one of the configuration methods mentioned in the link with this plugin? Any help would be appreciated! Thanks.

I know that later versions have this on by default, but upgrading Grails version is not an option for me, and later versions of the spring-security-core plugin require Grails 3.

2
grailsspring-security

2 Answers

4
votes

As far as I know, there is no default CSRF protection in any version of Grails spring security plugin. According to the spring security doc

1) You need to be certain that your application is using PATCH, POST, PUT, and/or DELETE for anything that modifies state

2) Include the CSRF token in all PATCH, POST, PUT, and DELETE methods

Grails can generate and check the token for you, just use <g:form useToken="true" ...> for all form submitions. Check it here. Bun then you have to modify all controllers.

Otherwise you have to use some custom solution, e.g you can create a service for token generation, call it from gsp:

<g:set var="token" bean="tokenService"/>
<g:form token="${token.getToken()}">

And create a filter, to validate a token from every PATCH, POST, PUT, and DELETE requests

0
votes

You can refer https://stackoverflow.com/a/38053797.

I implemented this on grails 2.5.6. Hope this helps!