Hi,
I have inherited some code in which I now have to add CSRF prevention and am trying to use the struts2 tokenSession interceptor to do this. I am adding a token to my form using the struts2 token tag like so:
<form id="updateObject" name="updateObject" action="<%=request.getContextPath()%>/prv/updateObject.action" method="POST">
<fieldset class="x-fieldset">
<legend>Update object - Action Required</legend>
<div>...</div>
<s:token />
<s:hidden name="id" id="objectId" />
more stuff here...
<input type="submit" value="Update Object" onclick="javascript:return doUpdateObject('myAction');"/>
</fieldset>
</form>
In my javascript function, I am adding/removing some validation rules (depending upon the action required, and submitting the form:
function doUpdateObject(action){
actionPanel.registerAction(action); // this function places the action name in an in-scope variable
doUpdateObjectValidationSetup(action); // this function adds/removes jquery validation rules depending upon the action
if($("#updateObject").valid()){
$("form#updateObject").submit();
}
return false;
}
I have intercepted the request and a token is being added, however the struts2 tokenSession interceptor is returning invalid.token. The code works as expected without this interceptor. (struts2 xml file not posted - will post the relevant section if required). I have also used the tokenSession interceptor in other pages which use a basic html submit button (i.e. not going via javascript or jquery) and this also works as expected. What is making the token invalid?
N.B. The project I have inherited uses a strange mixture of standard html, struts2 tags, ExtJS and JQuery. I will clean this up at some point but at the moment I just need to get the tokenSession interceptor working asap in the code as-is (as I have to apply a similar fix to several hundred pages...).
Any help/pointers/tips/etc greatly appreciated!
Regards,
John