How to implement CSR forgery prevention code on Struts2?

Question

I added an interceptor to my struts.xml and to all of the forms to prevent Cross-site Request Forgery attacks. I am wondering if I should do anything else? Such as retrieving the token and matching with the one submitting along with forms, in case it won't be done automatically.

  <interceptors>
            <interceptor-stack name="defaultSecurityStack">
                <interceptor-ref name="defaultStack"/>
                <interceptor-ref  name="tokenSession">
                       <param name="excludeMethods">*</param>    
                </interceptor-ref>                    
            </interceptor-stack>
  </interceptors>

 <default-interceptor-ref name="defaultSecurityStack"/>

All forms has

  <s:form ...>
      <s:token/>
      ...
  </s:form>

Answer 1

To be sure about, is it working as expected or not ?, you can send form request with omitted csrf hidden field. In order to do that you can use Tamper Data .It's Firefox plug-in. It captures http request when you click submit button and show content of the request to you. You can change everything in there. So you can omit csrf input from post body with that method. Finally, you will test backend is working like charm or not.

Also if everything works as expected. You don't need to do something else too. This will secure your application againts csrf attacks.

Answer 2

Firstly, I think you should put the token interceptor as the first interceptor on your stack. That way, when the token does not match your code is not executed.

Secondly, <param name="excludeMethods">*</param> means you are not using this interceptor ever.

Lastly, the token interceptor automatically checks the token in the form parameters with the token in the session. If it does not match it returns a result invalid.token by which you can alter the flow like follows

<result name="invalid.token" type="redirectAction">
    <param name="actionName">wrongToken.jsp</param>
</result>

Following urls are interesting reading:

• http://struts.apache.org/release/2.3.x/docs/token-interceptor.html
• http://struts.apache.org/release/2.3.x/struts2-core/apidocs/org/apache/struts2/interceptor/TokenInterceptor.html
• http://struts.apache.org/release/2.3.x/struts2-core/apidocs/org/apache/struts2/interceptor/TokenSessionStoreInterceptor.html