Content Application Developer Manual / Version 2307
Table Of ContentsCross-site request forgery (CSRF) is a trivial attack on a web application, which - if vulnerable to this attack - allows an attacker to perform a state-modifying operation on behalf of an authenticated, honest user. Depending on the nature of the web application and the operations an authenticated user may perform, the potential damage may be significant. For instance, a vulnerable application may allow an attacker to take over an honest user's account by changing that user's email address to his own.
A variation on CSRF is "login CSRF", which is an attack tricking an honest user to log into a vulnerable application with an account owned by the attacker. An unsuspecting user who fell victim to this attack may add valuable information, such as his address or payment information to the account, resulting in a leak of sensitive user data to the attacker.
More information on cross-site request forgery can be found at the Open Web Application Security Project: CSRF.
To reduce a CAE application's risk of vulnerability to CSRF attacks, the CAE makes use of the Spring Security CSRF protection.
The Spring Security CSRF protection for the CAE is configured in CaeHttpSecurityConfigurer#configure(CsrfConfigurer). For customizations see Section 4.3.8, “Spring Security” and Spring Security documentation on CSRF support for Servlet Environments.
To provide CSRF protection for web forms, add this to the templates:
<#-- @ftlvariable name="_csrf" type="org.springframework.security.web.csrf.CsrfToken" --> <form> <#if _csrf?has_content> <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"> </#if> ... </form>
Caution
The name of the ftlvariable
for the CsrfToken
in the
FreeMarker templates must match the name of the configured CSRF token parameter.
Changing the parameter name (using
HttpSessionCsrfTokenRepository.html#setParameterName(String))
requires the name of the ftlvariable
in the FreeMarker templates
to be changed likewise.