[OWASP-ESAPI] ESAPI : CSRF with struts

Nick Coblentz nick.coblentz at gmail.com
Fri Mar 27 10:01:12 EDT 2009


If you are using Struts 2, try the method discussed here:

http://nickcoblentz.blogspot.com/2008/11/csrf-prevention-in-struts-2.html

- Nick

Nick Coblentz, CISSP
Nick.Coblentz at gmail.com
http://nickcoblentz.blogspot.com

Lucas Ferreira wrote:
> Hello,
> 
> Struts has its own token implementation that can be used through calls
> to some methods in the Action class:
> 
>     * saveToken(HttpServletRequest req)
>     * isTokenValid(HttpServletRequest req)
>     * resetToken(HttpServletRequest req)
> 
> Maybe looking at the implemenmtation for these methods you can find out
> how to integrated ESAPI tokens with Struts. Or maybe using Struts own
> tokens is enough.
> 
> Regards,
> 
> Lucas
> 
> 2009/3/27 Sukhmeet Sethi (India) <Sukhmeet.Sethi at sdgc.com
> <mailto:Sukhmeet.Sethi at sdgc.com>>
> 
>     Hi there,
> 
>      
> 
>     I am trying to implement ESAPI - CSRF security in Struts web
>     application but wonder, how can I include CSRF token with each action.
> 
>     As per documentation, I can add CSRF token to any URL using
>     following code:
> 
>      
> 
>     /String url = ESAPI.httpUtilities().addCSRFToken(
>     “/example/action?t=1” );/
> 
>      
> 
>     But what if I want to include token to all my action URL’s as in
>     struts, the desired URL is generated through struts-config’s action
>     mapping.
> 
>     Kindly let me know if there’s way out or if there’s any example
>     available.
> 
>      
> 
>     Cheers,
> 
>     Sukhi
> 
>      
> 
> 
>     _______________________________________________
>     OWASP-ESAPI mailing list
>     OWASP-ESAPI at lists.owasp.org <mailto:OWASP-ESAPI at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-esapi
> 
> 
> 
> 
> -- 
> If a tree falls in the forest and no one is around to see it, do the
> other trees make fun of it?
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi


More information about the OWASP-ESAPI mailing list