This repository was archived by the owner on Feb 5, 2022. It is now read-only.
File tree Expand file tree Collapse file tree 5 files changed +55
-2
lines changed Expand file tree Collapse file tree 5 files changed +55
-2
lines changed Original file line number Diff line number Diff line change 1010 <properties >
1111 <java-version >1.7</java-version >
1212 <org .springframework-version>4.0.0.RELEASE</org .springframework-version>
13+ <org .springframework.security-version>3.2.0.RELEASE</org .springframework.security-version>
1314 <org .aspectj-version>1.7.4</org .aspectj-version>
1415 <org .slf4j-version>1.6.1</org .slf4j-version>
1516 </properties >
151152 <artifactId >commons-io</artifactId >
152153 <version >2.0.1</version >
153154 </dependency >
155+
156+ <!-- Security (used for CSRF protection only) -->
157+ <dependency >
158+ <groupId >org.springframework.security</groupId >
159+ <artifactId >spring-security-web</artifactId >
160+ <version >${org.springframework.security-version} </version >
161+ </dependency >
154162
155163 <!-- Test -->
156164 <dependency >
Original file line number Diff line number Diff line change 44 xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd"
55
66 <!-- Root Context: defines shared resources visible to all other web components -->
7-
7+
8+ <!--
9+ CSRF protection. Here we only include the CsrfFilter instead of all of Spring Security.
10+ See http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#csrf for more information on
11+ Spring Security's CSRF protection
12+ -->
13+ <bean id =" csrfFilter" class =" org.springframework.security.web.csrf.CsrfFilter"
14+ <constructor-arg >
15+ <bean class =" org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository"
16+ </constructor-arg >
17+ </bean >
18+ <!--
19+ Provides automatic CSRF token inclusion when using Spring MVC Form tags or Thymeleaf. See
20+ http://localhost:8080/#forms and form.jsp for examples
21+ -->
22+ <bean id =" requestDataValueProcessor" class =" org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor"
823</beans >
Original file line number Diff line number Diff line change 1414 <p >
1515 See the <code >org.springframework.samples.mvc.fileupload</code > package for the @Controller code
1616 </p >
17- <form id =" fileuploadForm" action =" fileupload" method =" POST" enctype =" multipart/form-data" class =" cleanform"
17+ <!--
18+ File Uploads must include CSRF in the URL.
19+ See http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#csrf-multipart
20+ -->
21+ <c:url var =" actionUrl" value =" fileupload?${ _csrf. parameterName } ${ _csrf. token } "
22+ <form id =" fileuploadForm" action =" ${ actionUrl } " method =" POST" enctype =" multipart/form-data" class =" cleanform"
1823 <div class =" header"
1924 <h2 >Form</h2 >
2025 <c:if test =" ${ not empty message } "
Original file line number Diff line number Diff line change 55 <title >spring-mvc-showcase</title >
66 <link href =" <c:url value=" resources /form.css " />" rel =" stylesheet" type =" text/css"
77 <link href =" <c:url value=" resources /jqueryui /1.8 /themes /base /jquery.ui.all.css " />" rel =" stylesheet" type =" text/css"
8+
9+ <!--
10+ Used for including CSRF token in JSON requests
11+ Also see bottom of this file for adding CSRF token to JQuery AJAX requests
12+ -->
13+ <meta name =" _csrf" content =" ${ _csrf. token } "
14+ <meta name =" _csrf_header" content =" ${ _csrf. headerName } "
815</head >
916<body >
1017<h1 ><a href =" <c:url value=" " />" a ></h1 >
@@ -627,6 +634,14 @@ $(document).ready(function() {
627634 return false ;
628635 });
629636
637+ // Include CSRF token as header in JQuery AJAX requests
638+ // See http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#csrf-include-csrf-token-ajax
639+ var token = $ (" meta[name='_csrf']" attr (" content"
640+ var header = $ (" meta[name='_csrf_header']" attr (" content"
641+ $ (document ).ajaxSend (function (e , xhr , options ) {
642+ xhr .setRequestHeader (header, token);
643+ });
644+
630645});
631646script >
632647</body >
Original file line number Diff line number Diff line change 1313 <listener >
1414 <listener-class >org.springframework.web.context.ContextLoaderListener</listener-class >
1515 </listener >
16+
17+ <filter >
18+ <filter-name >csrfFilter</filter-name >
19+ <filter-class >org.springframework.web.filter.DelegatingFilterProxy</filter-class >
20+ <async-supported >true</async-supported >
21+ </filter >
22+ <filter-mapping >
23+ <filter-name >csrfFilter</filter-name >
24+ <url-pattern >/*</url-pattern >
25+ </filter-mapping >
1626
1727 <!-- Processes application requests -->
1828 <servlet >
You can’t perform that action at this time.
0 commit comments