Cross-site request forgery prevention using struts token

Question

I want to implement Cross-site request forgery prevention for my web application which is base on struts 1.x framework. I know that struts 2 framework provide token interceptor

Answer 1

The Struts 1 Action token methods work like the Struts 2 token interceptor in that it will add a token to your session and check it on form submission, but it is a much more manual process. The basic workflow is:

1. The user gets to the form through a Struts Action (not directly to the JSP). The Struts Action will call saveToken(request) before forwarding onto the JSP that contains the form.
2. The form on the JSP must use the tag.
3. Your Action that the form submits to will first call isTokenValid(request, true), and you should redirect back to the first Action with an error message if it returns false. This also resets the token for the next request.

Doing this will not only prevent duplicate form submissions but any script will have to hit the first Struts Action and get a session before it can submit to the second Struts Action to submit the form. Since a site can't set a session for another site, this should prevent CSRF.

If you usually send users directly to your JSP, don't. Instead, create a new class inheriting from ActionForward and set this as it's execute() method:

public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response)  throws Exception {
    saveToken(request);
    return super.execute(mapping, form, request, response);
}