Java Spring MVC - CSRF token using AOP

Question

I am trying to set up Cross Site Forging protection for my site that uses Spring MVC. My idea was to send a token in the HTML request header and verify it using AOP like this:

@Aspect
@Component
public class RequestMappingInterceptor {
    @Before("execution(@org.springframework.web.bind.annotation.RequestMapping * *(..)) && args(request,..)")
    public void before(JoinPoint point, HttpServletRequest request) throws Throwable {
    UserEntity loggedUser = ((AmsUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUserEntity();
    String encodedToken = Base64.encodeBase64String(SessionEncodingUtils.encryptDecryptString(loggedUser.getId() + ";" + request.getSession(true).getId().hashCode()).getBytes());
    if (!encodedToken.equals(request.getHeader("csrfToken"))) {
        throw new RuntimeException("go.away");
        }
    }
}

However this does not work and i am not sure why. Shouldnt this intercept any method adnotated with @RequestMapping which contain a request argument? Any help would be appreciated

Possibly related: http://stackoverflow.com/questions/26933623/how-do-you-get-requestmapping-request-in-aop-advice-from-a-spring-controller — Jiri Tousek, Dec 02 '15 at 11:58
Why do you not use Spring Security? It has an already build in CSRF protection? - see https://spring.io/blog/2013/08/21/spring-security-3-2-0-rc1-highlights-csrf-protection/ and https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html — Ralph, Dec 02 '15 at 12:22

Java Spring MVC - CSRF token using AOP

0 Answers0