Spring MVC : How to Protect Application from CSRF and XSS - spring-mvc

What is the best way to protect our Spring MVC application from CSRF and XSS.
Is there native Spring MVC support for this?

In Spring:
Forms ( globally):
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
Forms ( locally):
<spring:htmlEscape defaultHtmlEscape="true" />

You can use Spring Security 3.2.0.RELEASE and enable csrf support with this configuration
<http>
<!-- ... -->
<csrf />
</http>

Here is a blog about it.
http://blog.eyallupu.com/2012/04/csrf-defense-in-spring-mvc-31.html
another one.
http://web.securityinnovation.com/appsec-weekly/blog/bid/79007/How-to-Prevent-Cross-Site-Request-Forgery-CSRF-in-SpringMVC
For token generation esapi can be used.
https://code.google.com/p/owasp-esapi-java/

Related

Spring Security addFilterAfter using XML confirguation

I am currently using Spring Security 4 on Spring MVC. I try to config anti-CSRF using REST service, not servlet. This post is very useful but it uses Java configuration. How can I convert
http.addFilterAfter(new CsrfTokenResponseHeaderBindingFilter(), CsrfFilter.class);
into an XML configuration environment?
Thanks.
XML can be following for addfilterAfter()
<http>
<custom-filter after="BASIC_AUTH_FILTER" ref="myFilter" />
</http>
<beans:bean id="myFilter" class="org.security.filter.CustomFilter"/>
Hope it will help....

Which are the classes used for User Authentication in alfresco.4.2.c in the case of External SSO?

I am trying to implement External SSO in alfresco share. I am using alfresco.4.2.c.
I want to enable debug mode for the classes which are using for Authentication in the case of External SSO.
So please let me know the class names which are using in External SSO.
Depends on which SSO you are integrating say OpenAM, CAS etc
SlingshotUserFactory class is used for default authentication in Alfresco Share
You can override its entry as below in share-config-custom.xml
<config evaluator="string-compare" condition="WebFramework">
<web-framework>
<!-- SpringSurf Autowire Runtime Settings -->
<!-- Developers can set mode to 'development' to disable; SpringSurf caches,
FreeMarker template caching and Rhino JavaScript compilation. -->
<defaults>
<page-type>
<id>login</id>
<page-instance-id>slingshot-login</page-instance-id>
</page-type>
<user-factory>webframework.factory.user.custom.slingshot
</user-factory>
</defaults>
</web-framework>
</config>
Add below entry in custom-slingshot-application-context.xml
<bean id="webframework.factory.user.custom.slingshot" class="com.test.web.site.ExtSlingshotUserFactory"
parent="webframework.factory.user.slingshot">
</bean>
now on login it will call your class for authentication

How to configure spring mvc project which contains controller both annotated and configured

Can any one tell me, how to configure spring mvc project that contains controllers both annotated and configured??
I want to configure static pages using ParametrizedViewController and rest of all using Annotations.
But it is not working??
Please someone tell the configuration file(dispatcher-servlet.xml in my case) which will contain both this requirements.
Thanks in advance.
<!-- Registering MVC stuff necessary for #RequestMapping -->
<mvc:annotation-driven />
<!-- Your view controller definition -->
<mvc:view-controller path="/home" view-name="home" />

Spring Security - overriding default configuration in profile

Context is Spring 3.1 (we use Spring MVC and Spring Security).
What we are trying to do is an admin page only available when the admin profile is active. With Spring Security, we tried something like:
<security:http use-expressions="true" entry-point-ref="entryPointDenied">
<security:intercept-url pattern="/admin/**" access="denyAll" />
</security:http>
<beans profile="admin">
<security:http use-expressions="true">
<security:intercept-url pattern="/admin/**" access="permitAll" />
<sec:form-login/>
</security:http>
</beans>
But that doesn't work as we can't override security:http definitions (we tried using the http#name attribute). So with above configuration, we get
Caused by: java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored.
Also we can't use the negated profile (i.e. profile="!admin") feature as it is introduced in Spring 3.2.
Ideally the solution should be purely Spring configuration.
Edit: added missing use-expressions="true" to the second security:http

How to prevent Spring Security 2.5 from overriding the loading of a Welcome Page (index.html)

I have a Spring MVC Web app that I'd like to show a simple Welcome Page (index.html). On that page, I just to have a 2 href links: one to bring me to the Login Page that is then implemented using Spring Security (2.5.6) and Hibernate 3 and the other to a Registration Page for new users.
However, the problem is that Spring Security automatically loads my login page each time and does NOT load the index.html page where I have coded the 2 links to forward me to either login or registration. I am brought to the login page which works fine. However, I never get to show the initial index.html page of my web application.
Can anyone shed light on how to prevent Spring Security from overriding the 'Welcome Page' with it's Login Page.
Many thanks.
Here is my Spring Security set up in web.xml:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
WEB-INF/spring-beans.xml
WEB-INF/spring-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
There's nothing wrong with your web.xml file, you need to show us your WEB-INF/spring-security.xml file.
If you keep getting directed to the login page, chances are you mess up the intercept-url pattern that causes your welcome page to be caught by Spring Security for further authentication before displaying it.
This is an example of the intercept-url tags that you will find in your WEB-INF/spring-security.xml file:-
<http auto-config="true" access-denied-page="/accessDenied.jsp">
<intercept-url pattern="/login.jsp*" filters="none"/>
<intercept-url pattern="/admin/searchUsers.do" access="ROLE_ADMIN" />
<intercept-url pattern="/**.do" access="ROLE_USER,ROLE_ADMIN" />
<form-login authentication-failure-url="/login.jsp?login_error=1" default-target-url="/home.do"/>
<logout logout-success-url="/home.do"/>
</http>
use
<form-login login-page="/login.jsp" />
Controller should handle user's request and in your case no controller which mapped to this URL. When controller found, it performs some logic and returns view name which will be used to represent server's response. So, view name translator called only after controller and only for deduce full path to particular JSP file.
<mvc:view-controller path="/" view-name="index"/>
Try to add

Resources