CODEWITHSUNDEEP
springspring-securityfacelets
AlexITC
AlexITC

Reputation: 1074

Is there a Spring Security 4.x taglib for Facelets

I'm involved working in a project using Spring Security 4.x and JSF 2.2 with Facelets. I just noticed that spring security in this version have enabled by default the protection against Cross Site Request Forgery using request tokens, the case is that you have to put the tag <sec:csrfMetaTags> in many pages (if not, spring deny the request), the lib spring-faces is in 2.4.1 which hasn't these tags for Facelets (XHTML).

I tried to find an implementation in order to get working my project using these frameworks but I couldn't find any, do you know any adaptation?

In my case, I adapted just the part I needed (at this point), if there are no public adaptations, I'd be glad to put it into an open source project and try to adapt all the library.

Thanks.

UPDATE

I created a blog post explaining my solution: http://halexv.blogspot.mx/2015/07/spring-security-4x-csrf-protection-for.html

Upvotes: 7

Views: 1201

Answers (1)

Faraj Farook
Faraj Farook

Reputation: 14915

You have the spring taglib for the JSF which you can access from this link.

http://docs.spring.io/spring-webflow/docs/current/reference/html/spring-faces.html#spring-faces-security-taglib

I believe you already know this. But your actual question is related to the CRSF which you have to add to all your pages. This in specific can be achieved by adding the token automatically to your forms as below

Create a util class and add a token generator

static String getTokenForSession (HttpSession session) {
 String token = null;
   synchronized (session) {
     token = (String) session.getAttribute(CSRF_TOKEN_FOR_SESSION_ATTR_NAME);
     if (null==token) {
       token=UUID.randomUUID().toString();
       session.setAttribute(CSRF_TOKEN_FOR_SESSION_ATTR_NAME, token);
   }
 }
 return token;
}

implement RequestDataValueProcessor 

public class CSRFRequestDataValueProcessor implements RequestDataValueProcessor {
 ...
 @Override
 public Map<String,String> getExtraHiddenFields(HttpServletRequest request) {
   Map<String,String> hiddenFields = new HashMap<String,String>();
   hiddenFields.put(CSRFTokenManager.CSRF_PARAM_NAME, CSRFTokenManager.getTokenForSession(request.getSession()));
   return hiddenFields;
  }
}

Then define the bean

<bean name="requestDataValueProcessor" class="com...CSRFRequestDataValueProcessor"/>

Creadit Reference - http://blog.eyallupu.com/2012/04/csrf-defense-in-spring-mvc-31.html

Upvotes: 1

Related Questions