Add CSRF protection · spring-attic/spring-mvc-showcase@361adc1 (original) (raw)

This repository was archived by the owner on Feb 5, 2022. It is now read-only.

File tree

5 files changed

lines changed

5 files changed

lines changed

Original file line number Diff line number Diff line change
@@ -10,6 +10,7 @@
10 10 <properties>
11 11 <java-version>1.7</java-version>
12 12 <org.springframework-version>4.0.0.RELEASE</org.springframework-version>
13 + <org.springframework.security-version>3.2.0.RELEASE</org.springframework.security-version>
13 14 <org.aspectj-version>1.7.4</org.aspectj-version>
14 15 <org.slf4j-version>1.6.1</org.slf4j-version>
15 16 </properties>
@@ -151,6 +152,13 @@
151 152 <artifactId>commons-io</artifactId>
152 153 <version>2.0.1</version>
153 154 </dependency>
155 +
156 +
157 + <dependency>
158 + <groupId>org.springframework.security</groupId>
159 + <artifactId>spring-security-web</artifactId>
160 + <version>${org.springframework.security-version}</version>
161 + </dependency>
154 162
155 163
156 164 <dependency>
Original file line number Diff line number Diff line change
@@ -4,5 +4,20 @@
4 4 xsi:schemaLocation="http://www.springframework.org/schema/beans " title="undefined" rel="noopener noreferrer">http://www.springframework.org/schema/beans/spring-beans-3.0.xsd"\>
5 5
6 6
7 -
7 +
8 +<!--
9 + CSRF protection. Here we only include the CsrfFilter instead of all of Spring Security.
10 + See http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#csrf for more information on
11 + Spring Security's CSRF protection
12 + -->
13 + <bean id="csrfFilter" class="org.springframework.security.web.csrf.CsrfFilter">
14 + <constructor-arg>
15 + <bean class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository"/>
16 + </constructor-arg>
17 + </bean>
18 +<!--
19 + Provides automatic CSRF token inclusion when using Spring MVC Form tags or Thymeleaf. See
20 + http://localhost:8080/#forms and form.jsp for examples
21 + -->
22 + <bean id="requestDataValueProcessor" class="org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor"/>
8 23 </beans>
Original file line number Diff line number Diff line change
@@ -14,7 +14,12 @@
14 14 <p>
15 15 See the <code>org.springframework.samples.mvc.fileupload</code> package for the @Controller code
16 16 </p>
17 - <form id="fileuploadForm" action="fileupload" method="POST" enctype="multipart/form-data" class="cleanform">
17 +<!--
18 + File Uploads must include CSRF in the URL.
19 + See http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#csrf-multipart
20 + -->
21 + <c:url var="actionUrl" value="fileupload?${_csrf.parameterName}=${_csrf.token}"/>
22 + <form id="fileuploadForm" action="${actionUrl}" method="POST" enctype="multipart/form-data" class="cleanform">
18 23 <div class="header">
19 24 <h2>Form</h2>
20 25 <c:if test="${not empty message}">
Original file line number Diff line number Diff line change
@@ -5,6 +5,13 @@
5 5 <title>spring-mvc-showcase</title>
6 6 <link href="<c:url value="/resources/form.css" />" rel="stylesheet" type="text/css" />
7 7 <link href="<c:url value="/resources/jqueryui/1.8/themes/base/jquery.ui.all.css" />" rel="stylesheet" type="text/css"/>
8 +
9 +<!--
10 + Used for including CSRF token in JSON requests
11 + Also see bottom of this file for adding CSRF token to JQuery AJAX requests
12 + -->
13 + <meta name="_csrf" content="${_csrf.token}"/>
14 + <meta name="_csrf_header" content="${_csrf.headerName}"/>
8 15 </head>
9 16 <body>
10 17 <h1><a href="<c:url value="/" />">spring-mvc-showcase</a></h1>
@@ -627,6 +634,14 @@ $(document).ready(function() {
627 634 return false;
628 635 });
629 636
637 + // Include CSRF token as header in JQuery AJAX requests
638 + // See http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#csrf-include-csrf-token-ajax
639 + var token = $("meta[name='_csrf']").attr("content");
640 + var header = $("meta[name='_csrf_header']").attr("content");
641 + $(document).ajaxSend(function(e, xhr, options) {
642 + xhr.setRequestHeader(header, token);
643 + });
644 +
630 645 });
631 646 </script>
632 647 </body>
Original file line number Diff line number Diff line change
@@ -13,6 +13,16 @@
13 13 <listener>
14 14 <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
15 15 </listener>
16 +
17 + <filter>
18 + <filter-name>csrfFilter</filter-name>
19 + <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
20 + <async-supported>true</async-supported>
21 + </filter>
22 + <filter-mapping>
23 + <filter-name>csrfFilter</filter-name>
24 + <url-pattern>/*</url-pattern>
25 + </filter-mapping>
16 26
17 27
18 28 <servlet>