I am trying to protect my web application from CSRF attacks by using struts token interceptor.

The problem I am facing right now is our JSP pages makes more than one call to server (While JSP is converted to JS a struts token is added to JS.But in this JS there are multiple Ajax request. I hope I am making myself clear.), because of token interceptor only first request to the server is getting validated. Other requests are getting invalidated because struts token is reset after each validation.

Is there a way I stop Struts from resetting the token every time it validates? IS there any other solutions to handle this in struts interceptor.

I am also looking at tomcatcsrfprotection module, I guess I will end up with same problem here also.

managepage.jsp:

<s:token />
<script type="text/javascript">
var strutsToken = "<s:property value="#session['struts.tokens.token']" />";
var requestParams = {mainAction: 'loadGroups','struts.token.name': 'token' , token:strutsToken};

Ext.Ajax.request({
              url: 'manageUserAccount.action',
              params: Ext.urlEncode(requestParams),
              disableCaching: true,
              success: this.actionCallback
              });



//loading widgets

var requestParams = {mainAction: 'loadusers','struts.token.name': 'token' , token:strutsToken};

Ext.Ajax.request({
              url: 'manageUserAccount.action',
              params: Ext.urlEncode(requestParams),
              disableCaching: true,
              success: this.actionCallback
              });

</script>

Struts.xml:

  <action name="manageUserAccountEdit" class="ManageUserAccountEditAction">
     <interceptor-ref name="csrf-protection" /> 
     <result name="success">/pages/manageUserAccount.jsp</result>
 </action>

I have just added minimum code so that understanding it will be easier.

I am trying to protect my web application from CSRF attacks by using struts token interceptor.

The problem I am facing right now is our JSP pages makes more than one call to server (While JSP is converted to JS a struts token is added to JS.But in this JS there are multiple Ajax request. I hope I am making myself clear.), because of token interceptor only first request to the server is getting validated. Other requests are getting invalidated because struts token is reset after each validation.

Is there a way I stop Struts from resetting the token every time it validates? IS there any other solutions to handle this in struts interceptor.

I am also looking at tomcatcsrfprotection module, I guess I will end up with same problem here also.

managepage.jsp:

<s:token />
<script type="text/javascript">
var strutsToken = "<s:property value="#session['struts.tokens.token']" />";
var requestParams = {mainAction: 'loadGroups','struts.token.name': 'token' , token:strutsToken};

Ext.Ajax.request({
              url: 'manageUserAccount.action',
              params: Ext.urlEncode(requestParams),
              disableCaching: true,
              success: this.actionCallback
              });



//loading widgets

var requestParams = {mainAction: 'loadusers','struts.token.name': 'token' , token:strutsToken};

Ext.Ajax.request({
              url: 'manageUserAccount.action',
              params: Ext.urlEncode(requestParams),
              disableCaching: true,
              success: this.actionCallback
              });

</script>

Struts.xml:

  <action name="manageUserAccountEdit" class="ManageUserAccountEditAction">
     <interceptor-ref name="csrf-protection" /> 
     <result name="success">/pages/manageUserAccount.jsp</result>
 </action>

I have just added minimum code so that understanding it will be easier.

• java
• javascript
• jsp
• struts2
• csrf-protection

• What do you mean jsp pages makes more than one call to server ? – Aleksandr M Commented May 7, 2014 at 10:23
• I need to make multiple ajax request using the same token in the client page. – Mok Commented May 7, 2014 at 10:26
• While jsp is converted to js a struts token is added to js. In this js there are multiple Ajax request. I hope I am making myself clear. – Mok Commented May 7, 2014 at 10:27
• 1 You need to make each ajax request with a new token. – Aleksandr M Commented May 7, 2014 at 10:28
• 1 See my answer to this question: stackoverflow./q/18822095/1700321. – Aleksandr M Commented May 7, 2014 at 10:32

1 Answer 1

You can use the code in my answer for Unable to implement Struts 2 token interceptor with hyperlink to create an action that returns a token. You can use any of the results stream or json or dispatcher to return a token as a Ajax success callback result. You can find an example in the issue returning JSON value. Now you can use the token to make your Ajax requests. Each time you need to make a new request you should call a token action to get a new token. Use the token as a parameter to your request and put the token interceptor in front of your actions.