Enabling cross-site request forgery protection in Struts
Cross-site request forgery (CSRF) is a type of malicious attack that tricks a user into sending unintended requests. For example, an attacker can trick an authenticated user into clicking a link to update their personal information. HCL Commerce accepts this request as valid, as proper session cookies exist as part of the request.
When cross-site request forgery protection is enabled, a designated URL parameter that is called authToken is required to be included as part of the request. The parameter value is generated by HCL Commerce and passed to the page in a request attribute with the same name.
Note: The authToken parameter is available only on SSL protected
pages because this token cannot be apparent. Only sensitive URLs that use SSL require this
protection. CSRF protection in HCL Commerce is intended to protect a user after you have
fully authenticated, not in a partially authenticated (remembered) state.
Procedure
-
Identify the action to protect.
For example,
UserRegistrationUpdate
. -
Open the Struts configuration file where the action is defined. Add a property to the action.
Name the property, csrfProtected. For example:
In HCL Commerce Versions 9.0.0.x:
<action parameter="com.ibm.commerce.usermanagement.commands.UserRegistrationUpdateCmd" path="/UserRegistrationUpdate" type="com.ibm.commerce.struts.BaseAction"> <set-property property="https" value="0:1"/> <set-property property="authenticate" value="0:0"/>
<set-property property="csrfProtected" value="10101:1"/>
</action>Notes:- The value attribute of the
set-property
element is a comma-separated list of<storeId>:<property value>
. The request is protected under CSRF protection when it has a property value of 1. - In an extended sites store model, you must set individual actions for each extended sites store.
<action class="com.ibm.commerce.struts.v2.BaseAction" name="UserRegistrationUpdate"> <param name="parameter">com.ibm.commerce.usermanagement.commands.UserRegistrationUpdateCmd</param> <param name="authenticate">0:0</param> <param name="csrfProtected">10101:1</param> <param name="https">0:1</param> </action>
Notes:- The value attribute of the csrfProtected parameter is a comma-separated
list of
<storeId>:<property value>
. The request is protected under CSRF protection when it has a property value of 1. - In an extended sites store model, you must set individual actions for each extended sites store.
- The value attribute of the
-
Edit the JSP file that invokes this action to include the authToken URL
parameter.
For example:
<input type="hidden" name="authToken" value="${authToken}" id="WC_UserRegistrationUpdateForm_FormInput_authToken_In_Register_1"/>
Note: If the JSP file is cached, then the part of the page that specifies the authToken is included in a JSP fragment that is not cached.Note: You can add CSRF protection for a command within in a business user tool, such as HCL Commerce Accelerator. To add the protection, modify the associated JSP file and modify thesavePanelData()
method to add the authToken. Your modified code can resemble the following code:parent.addURLParameter("authToken", "${authToken}");
- Update the StrutsConfigRegistry registry component.
Results
Note: When a cross-site request forgery violation is detected, the request is changed to go
to the CrossSiteRequestForgeryErrorView view. That is, the view is shown when requests that are
configured to be protected do not include the authToken
parameter.