Enabling cross-site request forgery in Spring

Cross-site request forgery (CSRF) is a type of malicious attack that tricks a user into sending unintended requests. For example, an attacker can trick an authenticated user into clicking a link to update their personal information. HCL Commerce accepts this request as valid, as proper session cookies exist as part of the request.

About this task

When cross-site request forgery protection is enabled, a designated URL parameter that is called authToken is required to be included as part of the request. The parameter value is generated by HCL Commerce and passed to the page in a request attribute with the same name.

Note: The authToken parameter is available only on SSL protected pages because this token cannot be apparent. Only sensitive URLs that use SSL require this protection. CSRF protection in HCL Commerce is intended to protect a user after you have fully authenticated, not in a partially authenticated (remembered) state.

Procedure

  1. 1. Identify the controller to protect. For example, userRegistrationUpdate.
  2. 2. Open the Spring configuration file where the controller is defined. Add a property to the action. Name the property csrfProtected.
    For example:
    <bean id="userRegistrationUpdate" class="com.ibm.commerce.store.mvc.controller.spring.RESTActionController"> 
    <property name="https" value="1"/>  
    <property name="authenticate" value="0"/>  
    <property name="parameter" value="personHandler.updatePerson"/> 
    <property name="generic" value="1"/>
 	  <property name="csrfProtected" value="1"/>     
  </bean>
    Note: The request is protected under CSRF protection when it has a property value of 1.
  3. 3. Edit the JSP file that invokes this controller to include the authToken URL parameter.
    For example:
    <input type="hidden" name="authToken" value="${authToken}" id="WC_UserRegistrationUpdateForm_FormInput_authToken_In_Register_1"/>
    Note: If the JSP file is cached, then the part of the page that specifies the authToken is included in a JSP fragment that is not cached.
  4. 4. Deploy the changes to the production environment.

Results

Note: When a cross-site request forgery violation is detected, the request is changed to go to the CrossSiteRequestForgeryErrorView view. That is, the view is shown when requests that are configured to be protected do not include the authToken parameter.