Login/Register
Struts2 token interceptor: CSRF protection
Asked Answered
Solved javajavascriptjspstruts2csrf-protection
S

1

8

I am trying to protect my web application from CSRF attacks by using struts token interceptor.

The problem I am facing right now is our JSP pages makes more than one call to server (While JSP is converted to JS a struts token is added to JS.But in this JS there are multiple Ajax request. I hope I am making myself clear.), because of token interceptor only first request to the server is getting validated. Other requests are getting invalidated because struts token is reset after each validation.

Is there a way I stop Struts from resetting the token every time it validates? IS there any other solutions to handle this in struts interceptor.

I am also looking at tomcatcsrfprotection module, I guess I will end up with same problem here also.

managepage.jsp:

<s:token />
<script type="text/javascript">
var strutsToken = "<s:property value="#session['struts.tokens.token']" />";
var requestParams = {mainAction: 'loadGroups','struts.token.name': 'token' , token:strutsToken};

Ext.Ajax.request({
              url: 'manageUserAccount.action',
              params: Ext.urlEncode(requestParams),
              disableCaching: true,
              success: this.actionCallback
              });



//loading widgets

var requestParams = {mainAction: 'loadusers','struts.token.name': 'token' , token:strutsToken};

Ext.Ajax.request({
              url: 'manageUserAccount.action',
              params: Ext.urlEncode(requestParams),
              disableCaching: true,
              success: this.actionCallback
              });

</script>

Struts.xml:

  <action name="manageUserAccountEdit" class="ManageUserAccountEditAction">
     <interceptor-ref name="csrf-protection" /> 
     <result name="success">/pages/manageUserAccount.jsp</result>
 </action>

I have just added minimum code so that understanding it will be easier.

Subsidy answered 7/5, 2014 at 10:20 Comment(11)
What do you mean jsp pages makes more than one call to server ?Highflier
I need to make multiple ajax request using the same token in the client page.Subsidy
While jsp is converted to js a struts token is added to js. In this js there are multiple Ajax request. I hope I am making myself clear.Subsidy
You need to make each ajax request with a new token.Highflier
Yes you are right, but I will have only one token rt. Is there a way I can get the new token in the same js page ?Subsidy
See my answer to this question: https://mcmap.net/q/1471174/-unable-to-implement-struts-2-token-interceptor-with-hyperlink/1700321.Highflier
But this is not js :), one solution is coming to my mind and probably I had answered before is to use a parameter token.Facia
@AleksandrM : The solution mentioned in the link, includes how to use token with hyperlink. my request is little different from that. Thanks :)Subsidy
Can you show a sample code ?Cyanogen
@RomanC : can you please elaborate your solution. ThanksSubsidy
JS or not JS what difference it makes? Build url with S2 tags and use it in ajax call.Highflier
F
5

You can use the code in my answer for Unable to implement Struts 2 token interceptor with hyperlink to create an action that returns a token. You can use any of the results stream or json or dispatcher to return a token as a Ajax success callback result. You can find an example in the issue returning JSON value. Now you can use the token to make your Ajax requests. Each time you need to make a new request you should call a token action to get a new token. Use the token as a parameter to your request and put the token interceptor in front of your actions.

Facia answered 7/5, 2014 at 12:41 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.