-1

I need to implement CSRF attack prevention using token in application that uses ajax post requests (ExtJs library) to Struts actions. How can I implement token generation and validation in such case?

Roman C
  • 49,761
  • 33
  • 66
  • 176
Александр Кель
  • 3
  • 4
  • what about OAuth 2.0 (http://oauth.net/2/)? There are a lot of JAVA libraries out there which support it. – oberbics Aug 10 '16 at 11:06
  • @oberbics I need to implement prevention only for few requests and I can not do anything with current authorization process. – Александр Кель Aug 10 '16 at 11:12
  • Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. – Roman C Aug 10 '16 at 20:56

1 Answers1

0

In ExtJS you can use this:

Ext.Ajax.setDefaultHeaders({ token: 'xyz' })

This operation will add header to each request you will send to server.

In server side consider using Spring Security. I recommend this solution.

The second (and not the last option) - you can write your own servlet service and filters for - authentication(service generating token) - authorization(filter for request token validation).

Filip
  • 116
  • 4
  • Could you please explain how can I inject token on client side. if I understood correctly it should be generated on the server side – Александр Кель Aug 10 '16 at 14:20
  • Yes, token should be generated on the server side. How to inject token? I just wrote. Every request in ExtJS inherits from Ext.Ajax. So - when you set default header for this class then each request will be send with this header. I dont know what exactly you are trying to do, but one way to implement client side token is to make a request. You receive token and set it like i wrote above. Of course you can use login form or load it automatically from server, or inject it to static files. There is many possibilities. – Filip Aug 10 '16 at 21:08