tag:blogger.com,1999:blog-37642571.post4648847855115437981..comments2024-03-20T02:30:44.457-07:00Comments on Thinking In Software: XSS and CSRF protection in Spring MVC FrameworkNestor Urquizahttp://www.blogger.com/profile/12351754666722274569noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-37642571.post-85636583368802607422012-04-20T22:32:27.483-07:002012-04-20T22:32:27.483-07:00Thank you for the post.
I want to mention that la...Thank you for the post.<br /> I want to mention that latest Spring release (3.1) provides a new interface (RequestDataValueProcessor ) which can be combined with an HandlerInterceptor to <i>automatically</i> included CSRF token in forms and automatically validate it.<br /><br />Once configured this process is fully automatic without the need of developers to do anything.I elaborated on that <a href="http://blog.eyallupu.com/2012/04/csrf-defense-in-spring-mvc-31.html" rel="nofollow">here</a> in my blog.Eyal Lupuhttps://www.blogger.com/profile/06848117109525757263noreply@blogger.comtag:blogger.com,1999:blog-37642571.post-74760697995572959402012-01-24T02:57:50.988-08:002012-01-24T02:57:50.988-08:00@Blaufish, good point.Thanks!
@Gregory, can you p...@Blaufish, good point.Thanks!<br /><br />@Gregory, can you please elaborate? As far as I understand someone can get a token only if you provide one. In my case I generate a token once the user is authenticated.Nestor Urquizahttps://www.blogger.com/profile/12351754666722274569noreply@blogger.comtag:blogger.com,1999:blog-37642571.post-47087800664367006712012-01-23T15:05:22.777-08:002012-01-23T15:05:22.777-08:00This won't work. Hacker can get the token with...This won't work. Hacker can get the token with a GET request.gregoryhttps://www.blogger.com/profile/04560612299153025513noreply@blogger.comtag:blogger.com,1999:blog-37642571.post-9594229779123031902012-01-23T06:48:30.420-08:002012-01-23T06:48:30.420-08:00Random r = new Random(); r.setSeed(seed);
is not...Random r = new Random(); r.setSeed(seed); <br /><br />is not random (unpredictable), enabling seed guessing attacks.<br /><br />new SecureRandom() will produce a better Random object.Blaufishhttps://www.blogger.com/profile/04696562141115102666noreply@blogger.comtag:blogger.com,1999:blog-37642571.post-45163970649840233122012-01-19T02:54:50.999-08:002012-01-19T02:54:50.999-08:00Grails supports this out of the box: http://grails...Grails supports this out of the box: http://grails.org/doc/2.0.x/ref/Controllers/withForm.htmlPrzemyslawhttps://www.blogger.com/profile/08709661481668087747noreply@blogger.comtag:blogger.com,1999:blog-37642571.post-80036220367720830742011-07-25T09:35:41.756-07:002011-07-25T09:35:41.756-07:00@Bar ControllerContext is just a POJO that passes ...@Bar ControllerContext is just a POJO that passes the servlet request and other domain specific objects between Controller methods. <br /><br />This is a Design decision to use Singleton Controllers totally managed by Spring in a multithreading environment. <br /><br />Hope that answer your question.Nestor Urquizahttps://www.blogger.com/profile/12351754666722274569noreply@blogger.comtag:blogger.com,1999:blog-37642571.post-18752203452229702432011-07-24T02:13:23.125-07:002011-07-24T02:13:23.125-07:00Interesting! Could you share the code for Control...Interesting! Could you share the code for ControllerContext too? Thanks!Barhttps://www.blogger.com/profile/07523236568378501155noreply@blogger.com