[OWASP-ESAPI] ESAPI : CSRF with struts

Lucas Ferreira listas at sapao.net
Fri Mar 27 08:10:25 EDT 2009


Hello,

Struts has its own token implementation that can be used through calls to
some methods in the Action class:

   - saveToken(HttpServletRequest req)
   - isTokenValid(HttpServletRequest req)
   - resetToken(HttpServletRequest req)

Maybe looking at the implemenmtation for these methods you can find out how
to integrated ESAPI tokens with Struts. Or maybe using Struts own tokens is
enough.

Regards,

Lucas

2009/3/27 Sukhmeet Sethi (India) <Sukhmeet.Sethi at sdgc.com>

>  Hi there,
>
>
>
> I am trying to implement ESAPI - CSRF security in Struts web application
> but wonder, how can I include CSRF token with each action.
>
> As per documentation, I can add CSRF token to any URL using following code:
>
>
>
> *String url = ESAPI.httpUtilities().addCSRFToken( “/example/action?t=1” );
> *
>
>
>
> But what if I want to include token to all my action URL’s as in struts,
> the desired URL is generated through struts-config’s action mapping.
>
> Kindly let me know if there’s way out or if there’s any example available.
>
>
>
> Cheers,
>
> Sukhi
>
>
>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>
>


-- 
If a tree falls in the forest and no one is around to see it, do the other
trees make fun of it?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090327/a0532511/attachment.html 


More information about the OWASP-ESAPI mailing list