[OWASP-ESAPI] ESAPI : CSRF with struts

Sukhmeet Sethi (India) Sukhmeet.Sethi at sdgc.com
Fri Mar 27 04:18:40 EDT 2009

Thanks for the quick response. I will implement this and let you know.
-----Original Message-----
From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Friday, March 27, 2009 12:50 PM
To: Sukhmeet Sethi (India); owasp-esapi at lists.owasp.org
Subject: Re: [OWASP-ESAPI] ESAPI : CSRF with struts
I feel you only want CSRF tokens when user actions change the state of
data. So what I do is :

1) After sucessful login, I generate a CSRF token and stick it in
session for that user (I think unique per-request CSRF tokens is
2) Whenever I build a form that necessitates CSRF protection, I stick in
a CSRF hidden variable in it.  <html:hidden property="csrf" />
    2a) My Stuts form objects all descend from a parent that
automatically populates the CSRF token if it exists in the form (see
below) so all I need to do is drop in the csrf hidden variable.
    2a) I then add verifyCSRFToken() to the top of actions that need to
enforce CSRF protection.
3) If I want to add CSRF protection to a GET parameter, then I'm being
lazy. Whenever you see GETS needing CSRF protection, you are designing
wrong - you should move those to posts. But, I break this rule - so I
just manually stick a CSRF token to my gets that necessitate CSRF
protection (when building these URL in JSP's or the like) and add the
verify function to those actions. Pretty simple.
public class ParentActionForm extends ActionForm {
String csrf;
public String getCsrf() {
return csrf;
public void setCsrf(String csrf) {
this.csrf = csrf;
public void reset(ActionMapping mapping,
javax.servlet.http.HttpServletRequest request) {

- Jim
----- Original Message ----- 
From: Sukhmeet Sethi (India) 
To: owasp-esapi at lists.owasp.org 
Sent: Thursday, March 26, 2009 9:02 PM
Subject: [OWASP-ESAPI] ESAPI : CSRF with struts

Hi there,
I am trying to implement ESAPI - CSRF security in Struts web application
but wonder, how can I include CSRF token with each action.
As per documentation, I can add CSRF token to any URL using following
String url = ESAPI.httpUtilities().addCSRFToken( "/example/action?t=1"
But what if I want to include token to all my action URL's as in struts,
the desired URL is generated through struts-config's action mapping.
Kindly let me know if there's way out or if there's any example

OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090327/f648c734/attachment.html 

More information about the OWASP-ESAPI mailing list