Cross-site request forgery prevention using struts token

Niraj Sonawane picture Niraj Sonawane · Nov 29, 2010 · Viewed 21k times · Source

I want to implement Cross-site request forgery prevention for my web application which is base on struts 1.x framework. I know that struts 2 framework provide token interceptor for this and I can implement similar functionality using filters.

I am bit confuse about few thinks 1 ) how I can generate unique token with straightforward way ? (can I use Action class token for this purpose which is use for avoiding duplicate form submission)

Are there any issue in using struts 1.x framework token mechanism for CSRF Prevention

Answer

Joseph Erickson picture Joseph Erickson · Mar 17, 2011

The Struts 1 Action token methods work like the Struts 2 token interceptor in that it will add a token to your session and check it on form submission, but it is a much more manual process. The basic workflow is:

  1. The user gets to the form through a Struts Action (not directly to the JSP). The Struts Action will call saveToken(request) before forwarding onto the JSP that contains the form.
  2. The form on the JSP must use the <html:form> tag.
  3. Your Action that the form submits to will first call isTokenValid(request, true), and you should redirect back to the first Action with an error message if it returns false. This also resets the token for the next request.

Doing this will not only prevent duplicate form submissions but any script will have to hit the first Struts Action and get a session before it can submit to the second Struts Action to submit the form. Since a site can't set a session for another site, this should prevent CSRF.

If you usually send users directly to your JSP, don't. Instead, create a new class inheriting from ActionForward and set this as it's execute() method:

public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response)  throws Exception {
    saveToken(request);
    return super.execute(mapping, form, request, response);
}