Enable CSRF in Spring Security

In this blog I will show you steps which is needs to enable CSRF in spring application.

CSRF mean "Cross Site Request Forgery". If your application is vulnerable to this security issue, then it will allow malicious user to submit the forged/malicious request to the application and successfully completes it. Check OWASP Website page for detailed understanding about CSRF.

Enabling CSRF will not allow submitting forged request and do the transaction. This happens with CSRF token value which is submitted with all the request. It is difficult for malicious user to guess this value and submit with the request. CSRF token is autogenerated value which keeps changing. Also a reference of that token is maintained on server side for identifying valid request.

Please note i am using spring 4.x version for this blog.

Step1: 

Open web.xml file in WEB-INF folder, and add following line. 

<filter>
 <filter-name>securityFilterChain</filter-name>
 <filter-class>org.springframework.web.filter.DelegatingFilterProxy
 </filter-class>
</filter>
<filter-mapping>
 <filter-name>securityFilterChain</filter-name>
 <url-pattern>/*</url-pattern>
</filter-mapping>

Here  /* in url-pattern means that all the url patterns will be covered.

Step2: In this step we will do changes in applicationContext.xml, which contains security configuration details. Add below code to enable,

<security:http auto-config="true" use-expressions="true">
<security:access-denied-handler  error-page="/htm/denied.html" />
<security:form-login 
    login-page="/login" 
 authentication-failure-url="/login" 
 username-parameter="UserName"
 password-parameter="Password" />
<security:csrf  disabled="false"/>
</security:http>

Incase if you already having http tag then you need to add  <security:csrf disabled="false"/> . By default csrf is enabled so it is not required to add "disabled=false" attribute.  I added as it is easy to understand.

Adding csrf will inform spring to provide application necessary setup to use csrf while submitting request.

Basically anything action which changes the state in application should be covered. Generally GET method is not used for any changes in application data. But incase if your application uses GET for change operation then that also should be covered.

Incase if you need to specify methods/url's which should be scanned by spring for CSRF, then use following "request-matcher-ref" attribute of csrf tag. I will not covering this here in this blog.

<security:csrf  disabled="false" request-matcher-ref="ref of class"/>

hello
In the JSP page add following code in the form.

<input name="${_csrf.parameterName}" type="hidden" value="${_csrf.token}" />

This will generate a tag for CSRF and spring will take care of verifying the token for the submitted request. Token value can be passed either by hidden field or as URL parameter.

Following value will be visible in view source of page, if you are able to generate the CSRF token.

If the token is invalid then spring will throw invalid CSRF token was sent and will take user to error page. Application will throw "InvalidCsrfTokenException".

Note, if you using AJAX with Json parameter, then you can submit CSRF token as http parameter, you need to use either meta tags to pass this information to the application. As shown below.

    <meta name="_csrf" content="${_csrf.token}"/>
    <meta name="_csrf_header" content="${_csrf.headerName}"/>

Or include it all the ajax calls, by having below function in the jsp or view file.

$(function () {
    var token = $("meta[name='_csrf']").attr("content");
    var header = $("meta[name='_csrf_header']").attr("content");
    $(document).ajaxSend(function(e, xhr, options) {
        xhr.setRequestHeader(header, token);
    });
});

That is all on CSRF front.