Cross-Site Request Forgery (CSRF) Prevention Using Struts 2
Perform CSRF prevention using Struts 2 within an application.
CSRF prevention is a key security control for an application that protects the application and its users from CSRF attacks. This article will describe how to use the built-in mechanisms provided by Struts 2 to perform CSRF prevention.
There is a standard model for CSRF prevention using Struts 2 that involves 3 basic steps
1. Update your interceptor stack to include the tokenSessionInterceptor, either including or excluding all methods (all are included here).
<interceptor-ref name="defaultStack" />
<default-interceptor-ref name="myStack" />
2. Update your action configuration to include or exclude any methods that need or do not need CSRF protection.
3. Use s:token in your JSP form that requests the action.
Using these 3 simple steps you can effectively have a session specific per user token used to validate that a request was submitted by a user intentionally.
Note: There have been effective attacks against various CSRF prevention techniques including this token-based approach when an application has XSS vulnerabilities. Removing XSS is therefore viewed as a prerequisite activity for a complete CSRF prevention mechanism.
In conclusion, CSRF prevention can function as a strong security control if used properly and applied thoroughly throughout the application. The Struts 2 framework provides a simple series of steps for accomplishing this task.