[OWASP-ESAPI] ESAPI : CSRF with struts

Jim Manico jim.manico at owasp.org
Fri Mar 27 03:20:13 EDT 2009

I feel you only want CSRF tokens when user actions change the state of data. So what I do is :

1) After sucessful login, I generate a CSRF token and stick it in session for that user (I think unique per-request CSRF tokens is overkill)
2) Whenever I build a form that necessitates CSRF protection, I stick in a CSRF hidden variable in it.  <html:hidden property="csrf" />
    2a) My Stuts form objects all descend from a parent that automatically populates the CSRF token if it exists in the form (see below) so all I need to do is drop in the csrf hidden variable.
    2a) I then add verifyCSRFToken() to the top of actions that need to enforce CSRF protection.
3) If I want to add CSRF protection to a GET parameter, then I'm being lazy. Whenever you see GETS needing CSRF protection, you are designing wrong - you should move those to posts. But, I break this rule - so I just manually stick a CSRF token to my gets that necessitate CSRF protection (when building these URL in JSP's or the like) and add the verify function to those actions. Pretty simple.
public class ParentActionForm extends ActionForm {

String csrf;

public String getCsrf() {

return csrf;


public void setCsrf(String csrf) {

this.csrf = csrf;


public void reset(ActionMapping mapping, javax.servlet.http.HttpServletRequest request) {




- Jim
----- Original Message ----- 
From: Sukhmeet Sethi (India) 
To: owasp-esapi at lists.owasp.org 
Sent: Thursday, March 26, 2009 9:02 PM
Subject: [OWASP-ESAPI] ESAPI : CSRF with struts

Hi there,
I am trying to implement ESAPI - CSRF security in Struts web application but wonder, how can I include CSRF token with each action.
As per documentation, I can add CSRF token to any URL using following code:
String url = ESAPI.httpUtilities().addCSRFToken( "/example/action?t=1" );
But what if I want to include token to all my action URL's as in struts, the desired URL is generated through struts-config's action mapping.
Kindly let me know if there's way out or if there's any example available.

OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090326/17b5ffc7/attachment-0001.html 

More information about the OWASP-ESAPI mailing list