Welcome to our Secure Development Tips blog

Every other week, we provide expert tech tips on how to build and deploy secure applications.  These best practices, derived from Security Innovation’s assessments of the worlds’ most dominant software applications,  are taken directly from our TeamMentor product, which includes more than 3,500 guidance assets and articles on secure software design, coding and testing.    

Recent Security Innovation Blog Post:

Subscribe by Email

Your email:

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles | RSS Feed RSS Feed

Cross-Site Request Forgery (CSRF) Prevention Using Struts 2


Applies to

  • Java
  • Struts 2


Perform CSRF prevention using Struts 2 within an application.


CSRF prevention is a key security control for an application that protects the application and its users from CSRF attacks. This article will describe how to use the built-in mechanisms provided by Struts 2 to perform CSRF prevention.

Code Example

There is a standard model for CSRF prevention using Struts 2 that involves 3 basic steps

1. Update your interceptor stack to include the tokenSessionInterceptor, either including or excluding all methods (all are included here).

<interceptor-stack name="myStack">
    <interceptor-ref name="defaultStack" />
    <interceptor-ref name="tokenSession">
 <param name="includeMethods">*</param>

<default-interceptor-ref name="myStack" />

2. Update your action configuration to include or exclude any methods that need or do not need CSRF protection.

<action ...>
    <interceptor-ref name="tokenSession">
 <param name="excludeMethods">searchBooks,getBook</param>

3. Use s:token in your JSP form that requests the action.

<s:form action="...">
    <s:token />

Using these 3 simple steps you can effectively have a session specific per user token used to validate that a request was submitted by a user intentionally.

Note: There have been effective attacks against various CSRF prevention techniques including this token-based approach when an application has XSS vulnerabilities. Removing XSS is therefore viewed as a prerequisite activity for a complete CSRF prevention mechanism.

In conclusion, CSRF prevention can function as a strong security control if used properly and applied thoroughly throughout the application. The Struts 2 framework provides a simple series of steps for accomplishing this task.

More Information


Post Comment
Website (optional)

Allowed tags: <a> link, <b> bold, <i> italics