Java web app security: adding tokens to requests

Question

I'm looking for a method or current API that allows you to add on tokens to web app requests. Maybe within the session but not persisted. Or if you could help me by outlining an efficient method for doing this

E.g.

1. GET request => Servlet generates a token and prints it in the view

2. returns a view with a hidden token

<input type="hidden" name="token" value="UA37jdjs9UDJS3">
<input type="submit" name="deleteEmail" value="Delete">

3. POST request => form is submitted and checks if the token is the same.

Few things to note, If there are Ajax requests then some other tokens would have to be alive for a number of requests.

If the user decides to close the browser, the token would have to die when the session is timed-out.

If the user fails to complete the form, goes off to do something else on the site, those tokens would have to be deleted as they go unused.

But what is the best way of implementing a system like this,

Does Spring Security 3 have a system that i can use?

within the Java,Grails,Spring MVC, Spring Security 3 and Hibernate area

Answer 1

First thought was that you might just use the already generated session id. But if you are trying to fork state I would suggest to use something like seams conversation model

Answer 2

Why don't just uses the session_id that the Web container generates for you when you call request.getSession()?

If you want to create your own "token" you might want to check Cookies. A Cookie is a key-value pair sent as an HTTP header by a web server to a web browser and then sent back unchanged by the browser each time it accesses that server.

To create a cookie in a Servlet you can uses:

public void doGet ( HttpServletRequest request, HttpServletResponse response )
     throws ServletException, IOException {
  // Create a cookie
  Cookie c1 = new Cookie("yourdomain.token","the value");
  response.addCookie(c1);
 //build your response

}

The cookie will be automatically included in the next http request. You can read it back with:

    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
Cookie[] cookies = request.getCookies();
//build your response
}

Answer 3

I recently encountered a use case for this.

If an old application window was present in the browser, and a login link was clicked from another browser window, the login action first created a new session, and then redirected to the application window. This triggered the old window's onunload method method, which resulted in a logout request to the server logging out the new user.

Relying on a javascript onunload event for logging out seems kind of crappy to me, but this could not be changed, so we chose to do as the OP suggested and added a token in each rendered view, checking it for each request. This stops the onunload logout request from terminating the new session.

As to the best way, I would say this is pretty straightforward. You can for instance use http://java.sun.com/j2se/1.5.0/docs/api/java/util/UUID.html to generate unique keys. If you are using a component-based framework like Tapestry, JSF or Wicket there might be a more high-level way of handling this.

Is this similar to your usecase? Or are you trying to achieve something completely different?

Answer 4

Have a look at the HDIV project at http://www.hdiv.org/. They do exactly this. Even if you don't use the HDIV project's code then the information there may give you an option how to do it yourself. It was a good primer for me to learn about handling tokens for things like CSRF and other uses like double submit controls.

Answer 5

Did you take a look at "Synchronizer Token Pattern" in the Grails documentation at http://grails.org/doc/1.2.0/guide/single.html ?