0

I have an issue currently that the validate method of the actionform happens before the execute method of the action.

The reason this is an issue is that a user can submit their own request and should they have all required fields completed the validate passes and using the isTokenValid(request) method I can see that the request is invalid. and forward them to an "access denied" page. However if they do not complete all required fields in their forged request the validate method returns errors and they are forwarded to the actual page(.jsp) with error messages displayed.

Any idea how to prevent this?

eric MC
  • 766
  • 2
  • 10
  • 36
  • Why can they get to the page they don't have access to at all? In any case, there are several options, but it depends on the current app flow, e.g., are you using auth filters, a custom request processor, doing validation "manually" or via the default request processor, etc. ā€“ Dave Newton Aug 05 '13 at 20:09
  • I'm implementing CSRF protection. So a user would be logged in and they would accidentally initiate a request from the malicious site. Most requests are prevented by using isTokenValid, but since validate fails before hitting the action it forwards to the .jsp instead of an access denied page. Note this may not actually be dangerous because all the happens is the user is forwarded to the page, not the malicious person themselves, still would like to prevent though. Iā€™m new to struts but using the validate method of the actionForm with customs logic. ā€“ eric MC Aug 05 '13 at 20:17

1 Answers1

0

To implement CSRF prevention in Struts1 using using tokens you should not allow direct access to your JSP pages.

A user should get to your forms through Struts Actions and the action will call saveToken(request) before they are forwarded to the form in the JSP page.

Where you usually forward directly to a JSP you can change to forward to an action that inherits from ActionForward. Within the execute it can then forward by calling parent ActionForward execute method. You could also implement additional logic restrictions in your new action class.

This answer to Struts CSRF question on separate thread may also be useful: https://stackoverflow.com/a/5339391/6136697

Community
  • 1
  • 1
M. Rizzo
  • 1,611
  • 12
  • 24