Forms protection against CSRFs (cross-site request forgery)

To protect itself from cross-site request forgery (CSRF) injections, it is proposed to create and send with each form a random value limited to the action and user session. The server must check that this value is returned in the form validation request. For that it is necessary :

• Add the token in the model object for the template:

model.put (SecurityTokenService.MARK_TOKEN, SecurityTokenService.getInstance().getToken(request, ACTION_TEMPLATE));

• Add the token field in the template form:

<input type="hidden" name="token" value = "${token}">

• Then check the request:

// CSRF Token control
         if (! SecurityTokenService.getInstance().validate(request, ACTION_TEMPLATE))
         {
             throw new AccessDeniedException ("Invalid security token");
         }