I am trying to implement the Csrf protection for a simple registration application. I have a state changing form registration.jsp which needs to protected with csrf token validation. I have imported spring security 5.2.3 dependencies and also added the hidden input tag in registration.jsp. From the spring csrf documentation it is evident that we should be able to see the token set in header or cookie value.
<form:label path="note">Note:</form:label>
<form:textarea path="note" cols="25" rows="5"/><br/>
<form:button>Register</form:button>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
</form:form>
</div>
The default form method is GET, which does not require a CSRF-token. Setting the form method to POST should add a CSRF-token if it is not disabled as described in the documentation:
You should be able to see the csrf-token in the payload of the POST-request with the key _csrf in the network tab of the Chrome debugger.
It seems to be by design that the hidden input field is not rendered.
Hidden inputs are completely invisible in the rendered page, and there is no way to make it visible in the page's content.
Otherwise, what you have done should be the equivalent of using the csrftag <sec:csrfInput /> from the Spring Security JSP tag library.
Related
I have some pages in my mobile web app based on jQuery Mobile that need to be accessible without authentication and some only after user has been authenticated. My solution is based on this tutorial: Java Servlet Filter Example Tutorial.
I have done #WebFilter which checks to which page user tries to access and if he isn't authenticated (session not created or there isn't attribute user inside the session) he's being redirected to login.html page.
This is relevant code from my login.html page:
<form action="LoginServlet" method="post">
...
input elements for username and password
...
</form>
Form submitting its data to LoginServlet. LoginServlet checks that credentials are correct and if they're correct, redirect it back to the required page. Currently I store required page in the session (it's better to store this in a hidden element inside the form, but I didn't know it when I was writing the code)
I perform redirect from LoginServlet by using this line of code:
response.sendRedirect(redirectToPage);
All pages in my project are simple *.html pages with javascript, I make a mobile web app by using jQuery Mobile.
My problem that after redirect to required page:
It the address bar I see name of the my servlet, LoginServlet while in a console of Chrome I didn't see content of my page, only the name of my servlet, LoginServlet and its content is a blank. But inside the browser I see all static content, it's rendered correctly.
The most important problem that all my dynamic content in a loaded page doesn't work. Dynamic content I mean a few ajax function which should be invoked upon page loading and render dynamic content:
$(document).on('pagebeforeshow',function(){
initPage();
});
If I reload page everything begins to work as it should.
What am I doing wrong?
Thank you in advance.
There are actually a two solutions for this problem.
The first one is to perform redirect in javascript not in servlet, and I think that it's preferable solution, for more details look here: How to manage a redirect request after a jQuery Ajax call
And second solution if you required to do it from servlet after submitting a <form/>, is to add data-ajax="false" into the <form/> tag:
<form action="postthis" method="post" data-ajax="false">, this solution is taken from here: https://stackoverflow.com/a/8631895/947111
So I have a unique situation. I have a small angular app that lives inside of a legacy ASP.NET webforms app (the header and the footer). The user still authenticates via Webforms, there is no token service currently implemented.
However when Angular submits a form the back end needs the JSON to contain a CreatedBy value which is equal to the CurrentUserId. This value is accessible via a hidden field that looks like:
<input type="hidden" name="ctl00$contentPage$CurrentUserId" id="CurrentUserId" value="326">
The other curveball is this hidden input tag lives outside of the <div ng-app> </div> div.
I'm a little stumped to how I would accomplish this.
Any ideas?
You can register this value as constant just on page: angular.module('myApp').constant('currentUserId', '<%= CurrentUserId.Value %>');
I don't understand how servlet generate html. I have one html page and there i need to write my name and password and when i click button sign in it's generate servlet signServlet.mk. Then i need to create session where i keep the user name and need to create cookie with his name. I did this but now this servlet need to generate html page catalog.html. So i don't know what to do here, do i need to override doGet or not?
Tnx a lot!
This is first html page
Корисничко име
<label> Лозинка <input type="password" name="pass"></label>
<br />
You need to override doGet() or doPost() method depending upon the type of request. As you are sending user name and password, it is strongly recommended to use POST request (can be achieved by wrapping your HTML body in <form method="POST"></form> tag.
Once you are done with that, you can override doPost() method in your servlet. Also you need to do the required configurations.
Good examples of same are provided here and here.
I have some input fields with required attr
<input id="name" required="" placeholder="Write your name">
Additionally I have button that makes post back and some other link that makes postback as well.
But in case input field has't any data chrome block my post-back action, and show some chrome pupup box with information that I need to fill all data on form.
In the same time IE allows to do it.
How to resole it ?
of course I can remove this attribute with JavaScript before post-back action, but I am not sure this is right way.
I think you shouldn't count on HTML5 required attribute since (in case of IE) only IE 10+ supports it (see "Form validation" section here: Web Forms - Dive Into HTML5). Of course, the same goes for placeholder attribute but in most cases it's something you can live with (and having a working validation is more critical).
I think you should use the validation functionality provided by ASP.NET itself, it's very easy to get started with and you can easily make it work with and without JavaScript enabled on the client. More info here: Understanding ASP.NET Validation Techniques.
The goal is to popup an asp.net page from classic asp using post data, however, the asp.net page always has Request.Form variables as empty and shows RequestType get.
I have stripped all the code from asp out, tested receiving the form variables sent from an html page on the asp.net page and this works fine. Copying the same form html to the asp page still gives no request.form data and a RequestType get
<html>
<head></head>
<body>
<form method="post" name="form" action="http://localhost:51307">
<input name="uid" value="1" />
<input type="submit" name="Submit" />
</form>
</body>
The asp site is using frames and the form is sent from a child frame, I'm unsure if this is the issue.
2.
Assuming this worked, I had thought to submit a form in asp and use the onsubmit event of the form to popup the page which would send the form variables as post data. Is this the best way of doing this?
UPDATE
The frames seem to be at fault here somehow, I have posted from the form within the framed page to another classic asp page and then redirected from this to the asp.net page.
This probably happened because "Navigate windows and frames across different domains" is disabled by default in IE browsers, which means you can't pass form data due to security reasons.
ASP.NET requires certain form fields to be set (usually as hidden fields, though HTTP POST obviously does not know the difference) for an inbound request to be treated as valid, thereby populating the relevant variables.
If I recall, you need to set __EVENTTARGET, __EVENTARGUMENT, and __VIEWSTATE.
Then, your ASP.NET code needs to be able to handle what was sent, as the default handlers will expect there to be something in __VIEWSTATE at a minimum. So, you would need to override the ViewState handler in your page. I can update with more information later when I'm at work, since I know I've done this before.
The problem is with the redirect. When you redirect a page, it creates a GET request instead of a POST request, and therefore will not have any form data.
Your options are to :
Append the form values to the query string.
Dynamically generate the form corresponding to the posted Request.Form collection, and submit it to the ASP.NET page using Javascript during the body onload event.