Spring 3.1 MVC, Spring Security 3.1 - CSRF token

18
votes

At the moment I am searching for a possibility to include CRSF tokens in Spring MVC and Spring Security forms. What is the easiest solution that covers both (Spring Security + Spring MVC) servlets and allows to render and evaluate CSRF tokens?

I'm surprised that this basic mechanism is not available in the Springs stack. (which I consider basic for every web application framework)

PS: I have looked at HDIV but can't find a solution to use it with Spring Security as well. (e.g. login form gets rendered by Spring MVC and login request gets handled by Spring Security)

3
springspring-mvcspring-security
You are right, Spring does not have that support. But what is the question? - Ralph
Ok. A question mark had been missing. I'm sorry. Is there a library that covers both Spring Security + Spring MVC with CSRF protection? Or is it enough to cover Spring MVC since CSRF is only harmful while the user is authenticated? - denis

3 Answers

23
votes

Spring 3.1 introduced a new interface named RequestDataValueProcessor. Using this interface you can easily (and automatically - without any changes to your JSP or controllers!) register CSRF tokens to HTTP forms. You can see a detailed example in here, it also refers to the sample code on github (so you can just take it from there and use it in your application).

8
votes

UPDATE (January 2014): Spring Security 3.2 contains a CSRF-Token implementation.

For Spring Security <= 3.1:

Because CSRF has noting to do with Spring Secruity (Authentication & Authorization) both can be implemented separate from each other.

There are some CRSF implementations that are based on Filters. For example there is one shipped with Tomcat 7, and Tomcat 6.0.something

When I tryed to use them (in summer 2011) I have not the feeling that it works well. So I implemented my own.

EDIT (April 2012): My Implementation works with Spring 3.0, if you are using Spring 3.1, then have a look at Eyal Lupu's answer and his Blog it uses some Spring 3.1 features so the filter handling is more easy.

I have not made it public up to now (no time). But you will. You can download it (this is the first time I use 4shared.com, I hope it works):

The drawback of my implementation is, that you need to add the token explicit to every form that submitts POST, DELETE, PUT.

JSP(x):

xmlns:crsf="http://www.humanfork.de/tags/de/humanfork/security/crsf"
...
<form ...>
   <crsf:hiddenCrsfNonce/>
   ....
</form>

web.xml

<filter>
    <filter-name>IdempotentCrsfPreventionFilter</filter-name>
    <filter-class>de.humanfork.security.crsf.IdempotentCsrfPreventionFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>IdempotentCrsfPreventionFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
7
votes

With Spring Security 3.2.0.RC1 comes a CSRF protection functionality. There is also a solution for AJAX requests included.

See http://www.springsource.org/node/22675 and http://spring.io/blog/2013/08/21/spring-security-3-2-0-rc1-highlights-csrf-protection/