Creating a CSRF protection with Spring 3.x--reference
reference from:http://info.michael-simons.eu/2012/01/11/creating-a-csrf-protection-with-spring-3-1/
Creating a CSRF protection with Spring 3.1
Note: This tutorial is for Spring Security 3.1, an updated version that uses the build-in CSRF protection of Spring Security 3.2 can be found here
CSRF Attacks still seems to be a problem, a pity that there is no standard solution in the Spring 3.1 framework. Although not probably, i wanted to protect my projects by malicious crafted links.
I didn’t want to use an extra library but something which is already available in the Spring framework. Here is what i come up with:
I choose the token protection mechanism for my implementation.
The core of my solution is the CSRFToken Service:
public interface CSRFTokenService { |
import java.security.SecureRandom; |
“getTokenFromSession” is called right after a user logs in, so that the token gets stored into his session.
As you can see in the implementation of “acceptsTokenIn”, the token is only needed and verified when the principal is not null, meaning when a user is authenticated.
The interface contains some constants: The name of the token in forms and requests and the name of the attribute under which the token is stored in the session. The token itself is just a base64 of some random bytes.
I only want the token to be checked in writing methods: METHODS_TO_CHECK, meaning only in put, delete and posts requests. My applications don’t change state based on get requests.
So where to check for the token? I use a pretty simple Spring “HandlerInterceptor”:
package de.dailyfratze.controller; |
This interceptor stops the chain if the request method should be checked and the token is not acceptable by sending a HTTP forbidden error. The additional response header is used by Ajax calls to present a dialog that the session is invalidated.
How to get the token into forms? I wanted to be able to change the token name in only one place so i came up with the following custom tag:
import java.io.IOException; |
with the corresponding mapping:
<?xml version="1.0" encoding="UTF-8" ?> |
I can use this tag in forms like so:
<form method="post" action="foobar"> |
Or for generating url parameters for example for ajax calls like so:
<c:url value="/foobar"> |
So if a token is invalid, the user is either redirect to an error page if it is a normal post, ajax calls through jQuery can be handled like so:
function isInvalidCSRFToken = function(xhr) { |
The code snippets are all taken from a running project. If you want to use them, use them. The package names are missing and must be added. Also the JavaScript code isn’t complete.
Feel free to comment, if you have suggestions, remarks or anything else. Also, if you can use this, i’d be happy to hear from you.
---------------------------------------------------------------------------------------------------------------------------------------------------------
CSRF PROTECTION WITH SPRING SECURITY REVISITED
reference from:http://info.michael-simons.eu/2014/01/29/csrf-protection-with-spring-security-revisited/
At the end of last year, Spring Security 3.2 was released and brought a lot of new features, among them a built-in “Cross Site Request Forgery” protection”.
Nearly two years earlier i wrote my CSRF protection implementation with Spring Security 3.1, have a look here.
I really like the built-in implementation and most of it is very similar to my solution. The main difference is that the protection is at security filter level and not at application level like mine was. Also they use a token class for encapsulating the tokens name and value.
My solution can be very easily adapted to Spring Security 3.2.
First of all, configure it with the onliner
<csrf /> |
or use the new annotation based configuration method.
Then throw away everything from my solution except the CSRFTokenTag. Edit the later one to contain the following code:
import java.io.IOException; |
The guys at Spring have a nice suggestions for including the token for AJAX/Jsons request. The new filter also validates request headers. The recommend adding the header name and token value to the pages meta information like so
<meta name="_csrf" content="${_csrf.token}"/> |
and then manually add the header to each JavaScript request made with jQuery.
An alternative for jQuery users would be the following pre filter:
$.ajaxPrefilter(function(options, originalOptions, jqXHR) { |
I’m happy to be able to get rid of some code of mine, though the solution worked quite well for 2 years now.
Creating a CSRF protection with Spring 3.x--reference的更多相关文章
- How to resolve CSRF protection error while adding service through Ambari api
Short Description: This article will describe on how to disable CSRF protection in Ambari. Article A ...
- HTML form without CSRF protection,HTML表单没有CSRF保护
HTML form without CSRF protection =HTML表单没有CSRF保护 CSRF是伪造客户端请求的一种攻击,CSRF的英文全称是Cross Site Request For ...
- springMVC常见错误-解决org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.spring
笔者参考文档: https://blog.csdn.net/sinat_24928447/article/details/47807105 可能错误原因即解决方法: 1.配置文件错误 a)这是配置文件 ...
- spring mybatis circular reference
摘要: Error creating bean with name 'XXX': Requested bean is currently in creation: Is there an unreso ...
- Spring Boot Admin Reference Guide
1. What is Spring Boot Admin? Spring Boot Admin is a simple application to manage and monitor your S ...
- Spring错误——Spring 注解——factory-bean reference points back to the same bean definition
背景:学习Spring,在使用注解@Bean的name属性配置<bean>实例时,不能注册实例成功 报错 WARNING: Exception encountered during con ...
- 【Spring实战】----开篇(包含系列目录链接)
[Spring实战]----开篇(包含系列目录链接) 置顶2016年11月10日 11:12:56 阅读数:3617 终于还是要对Spring进行解剖,接下来Spring实战篇系列会以应用了Sprin ...
- Cross Site Request Forgery (CSRF)--spring security -转
http://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html 13. Cross ...
- Spring Security Oauth2 : Possible CSRF detected
Spring Security Oauth2 : Possible CSRF detected 使用Spring Security 作为 Oauth2 授权服务器时,在授权服务器登录授权后,重定向到客 ...
随机推荐
- HDU ACM 2121 Ice_cream’s world II (无根最小树形图)
[解题思路]这题先看了NotOnlySuccess的解题思路,即设置虚根再处理的做法:弄了一个上午,再次有种赶脚的感觉~~如果需要找出为什么需要去比所有权值之和更大的数为新增的虚边的话,一开始我理解仅 ...
- vim编辑十六进制文件
首先用二进制方式打开 vim file -b 之后输入 :%!xxd 还原为二进制文件 :%!xxd -r
- 移动前端工作的那些事---前端制作篇之meta标签篇
移动端前端制作有些地方不同于互联网,这篇主要讨论的是meta标签.meta标签位于head标签之间.是主要辅助HTML结构层的.meta标签不管在互联网前端还是在移动端都起了很重要的作用.这里只讨论移 ...
- nyoj117 求逆序数
求逆序数 时间限制:2000 ms | 内存限制:65535 KB 难度:5 描述 在一个排列中,如果一对数的前后位置与大小顺序相反,即前面的数大于后面的数,那么它们就称为一个逆序.一个排列中 ...
- 使用JAP(基类)父类注解
-----------------基类------------------------------- /** * @className:com.jubangit.ebusiness.database. ...
- EASYUI DATAGRID 多列复选框CheckBox
主要实现: 用的 easyui 1.3.2 实现多个复选框列,各列互不影响.能够实现全选.主要部门用红色标记了的. easyui datagrid 初始化: <script> functi ...
- 设置文字在div中垂直居中,使用line-height
(从已经死了一次又一次终于挂掉的百度空间人工抢救出来的,发表日期2014-02-19) line-height 行间距 详细使用方法:http://www.w3school.com.cn/css/pr ...
- 解决IE6不支持position:fixed属性
最近在优化网站浮动广告时候遇见了IE6不支持position:fixed属性.上网收集了一下解决方案 比较好的方案就是利用css表达式进行解决 补充:CSS Expression (CSS 表达式), ...
- Android 获取控件相对于屏幕位置
// View宽,高 public int[] getLocation(View v) { int[] loc = new int[4]; int[] location = new int[2]; v ...
- Shared File System Master Slave 全配置以及测试
在本机完成2个broker的共享文件测试 2个broker的完整配置文件如下 <!-- Licensed to the Apache Software Foundation (ASF) ...