[OWASP-ESAPI] ESAPI : CSRF with struts

Jim Manico jim.manico at owasp.org
Fri Mar 27 17:06:59 EDT 2009


I'm still using Struts 1.X, and I think the method I described below is 
appropriate for that platform. I think. =)

Thanks Nick!

- Jim

----- Original Message ----- 
From: "Nick Coblentz" <nick.coblentz at gmail.com>
To: <owasp-esapi at lists.owasp.org>
Sent: Friday, March 27, 2009 4:01 AM
Subject: Re: [OWASP-ESAPI] ESAPI : CSRF with struts


If you are using Struts 2, try the method discussed here:

http://nickcoblentz.blogspot.com/2008/11/csrf-prevention-in-struts-2.html

- Nick

Nick Coblentz, CISSP
Nick.Coblentz at gmail.com
http://nickcoblentz.blogspot.com

Lucas Ferreira wrote:
> Hello,
>
> Struts has its own token implementation that can be used through calls
> to some methods in the Action class:
>
>     * saveToken(HttpServletRequest req)
>     * isTokenValid(HttpServletRequest req)
>     * resetToken(HttpServletRequest req)
>
> Maybe looking at the implemenmtation for these methods you can find out
> how to integrated ESAPI tokens with Struts. Or maybe using Struts own
> tokens is enough.
>
> Regards,
>
> Lucas
>
> 2009/3/27 Sukhmeet Sethi (India) <Sukhmeet.Sethi at sdgc.com
> <mailto:Sukhmeet.Sethi at sdgc.com>>
>
>     Hi there,
>
>
>
>     I am trying to implement ESAPI - CSRF security in Struts web
>     application but wonder, how can I include CSRF token with each action.
>
>     As per documentation, I can add CSRF token to any URL using
>     following code:
>
>
>
>     /String url = ESAPI.httpUtilities().addCSRFToken(
>     “/example/action?t=1” );/
>
>
>
>     But what if I want to include token to all my action URL’s as in
>     struts, the desired URL is generated through struts-config’s action
>     mapping.
>
>     Kindly let me know if there’s way out or if there’s any example
>     available.
>
>
>
>     Cheers,
>
>     Sukhi
>
>
>
>
>     _______________________________________________
>     OWASP-ESAPI mailing list
>     OWASP-ESAPI at lists.owasp.org <mailto:OWASP-ESAPI at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-esapi
>
>
>
>
> -- 
> If a tree falls in the forest and no one is around to see it, do the
> other trees make fun of it?
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
_______________________________________________
OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-esapi



More information about the OWASP-ESAPI mailing list