Cross-site request forgery (CSRF) is a type of
malicious attack that tricks a user into sending unintended requests.
For example, an attacker can trick an authenticated user into clicking
a link to update their personal information. WebSphere Commerce accepts
this request as valid, as proper session cookies exist as part of
the request.
When cross-site request forgery protection
is enabled, a designated URL parameter that is called authToken is
required to be included as part of the request. The parameter value
is generated by WebSphere Commerce and passed to the page in a request
attribute with the same name.
Note: The authToken parameter is available only on SSL protected pages because
this token cannot be apparent. Only sensitive URLs that use SSL require this protection. CSRF
protection in WebSphere Commerce is intended to protect a user after you have fully authenticated,
not in a partially authenticated (remembered) state.
Procedure
- Identify the action to protect.
For example, UserRegistrationUpdate
.
- Open the Struts configuration file where the action is
defined. Add a property to the action. Name the property, csrfProtected
For example:
<action
parameter="com.ibm.commerce.usermanagement.commands.UserRegistrationUpdateCmd"
path="/UserRegistrationUpdate" type="com.ibm.commerce.struts.BaseAction">
<set-property property="https" value="0:1"/>
<set-property property="authenticate" value="0:0"/>
<set-property property="csrfProtected" value="10101:1"/>
</action>
Notes:
- The value attribute of the
set-property
element is a comma-separated list of
<storeId>:<property value>
. The request is protected under CSRF protection
when it has a property value of 1.
- In an extended sites store model, you must set individual actions for each
extended sites store.
- Edit the JSP file that invokes this action to include the authToken URL
parameter.
For
example:
<input type="hidden" name="authToken" value="${authToken}" id="WC_UserRegistrationUpdateForm_FormInput_authToken_In_Register_1"/>
Note: If the JSP file is cached, then the part of the page that specifies the
authToken is included in a JSP fragment that is not cached.
Note: You
can add CSRF protection for a command within in a business user tool,
such as WebSphere Commerce Accelerator. To add the protection, modify
the associated JSP file and modify the
savePanelData()
method
to add the
authToken. Your modified code can
resemble the following code:
parent.addURLParameter("authToken", "${authToken}");
- Restart the WebSphere Commerce
Server or update the StrutsConfigRegistry registry component.
Results
Note: When a cross-site request forgery violation is detected,
the request is changed to go to the CrossSiteRequestForgeryErrorView
view. That is, the view is shown when requests that are configured
to be protected do not include the authToken parameter.